n Horizon 7 7 - VMware · Administering Cloud Pod Architecture in Horizon 7 Modified on 26 JUL 2017 VMware Horizon 7 7.2

Administering Cloud Pod Architecturein Horizon 7

Modified on 26 JUL 2017VMware Horizon 7 7.2

Administering Cloud Pod Architecture in Horizon 7

2 VMware, Inc.

You can find the most up-to-date technical documentation on the VMware Web site at:

https://docs.vmware.com/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

https://docs.vmware.com/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

Administering Cloud Pod Architecture in Horizon 7 5

1 Introduction to Cloud Pod Architecture 7

Understanding Cloud Pod Architecture 7Configuring and Managing a Cloud Pod Architecture Environment 8Cloud Pod Architecture Limitations 8

2 Designing a Cloud Pod Architecture Topology 9

Creating Cloud Pod Architecture Sites 9Entitling Users and Groups in the Pod Federation 10Finding and Allocating Desktops and Applications in the Pod Federation 10Considerations for Unauthenticated Users 12Global Entitlement Example 13Restricting Access to Global Entitlements 13Considerations for Workspace ONE Mode 15Cloud Pod Architecture Topology Limits 16Cloud Pod Architecture Port Requirements 16Security Considerations for Cloud Pod Architecture Topologies 16

3 Setting Up a Cloud Pod Architecture Environment 17

Initialize the Cloud Pod Architecture Feature 17Join a Pod to the Pod Federation 18Assign a Tag to a Connection Server Instance 19Create and Configure a Global Entitlement 20Add a Pool to a Global Entitlement 22Create and Configure a Site 23Assign a Home Site to a User or Group 24Create a Home Site Override 25Test a Cloud Pod Architecture Configuration 25Example: Setting Up a Basic Cloud Pod Architecture Configuration 26

4 Managing a Cloud Pod Architecture Environment 31

View a Cloud Pod Architecture Configuration 31View Pod Federation Health in Horizon Administrator 32View Desktop and Application Sessions in the Pod Federation 33Add a Pod to a Site 33Modifying Global Entitlements 34Managing Home Site Assignments 37Remove a Pod From the Pod Federation 39Uninitialize the Cloud Pod Architecture Feature 39

VMware, Inc. 3

5 lmvutil Command Reference 41lmvutil Command Use 41Initializing the Cloud Pod Architecture Feature 44Disabling the Cloud Pod Architecture Feature 45Managing Pod Federations 45Managing Sites 47Managing Global Entitlements 50Managing Home Sites 58Viewing a Cloud Pod Architecture Configuration 60Managing SSL Certificates 65

Index 67


4 VMware, Inc.

Administering Cloud Pod Architecture in Horizon7

Administering Cloud Pod Architecture in Horizon 7 describes how to configure and administer a Cloud PodArchitecture environment in VMware Horizon® 7, including how to plan a Cloud Pod Architecturetopology and set up, monitor, and maintain a Cloud Pod Architecture configuration.

Intended AudienceThis information is intended for anyone who wants to set up and maintain a Cloud Pod Architectureenvironment. The information is written for experienced Windows or Linux system administrators who arefamiliar with virtual machine technology and data center operations.

VMware Technical Publications GlossaryVMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitionsof terms as they are used in VMware technical documentation, go to http://www.vmware.com/support/pubs.

VMware, Inc. 5

http://www.vmware.com/support/pubs


6 VMware, Inc.

Introduction to Cloud PodArchitecture 1

The Cloud Pod Architecture feature uses standard Horizon components to provide cross-datacenteradministration, global and flexible user-to-desktop mapping, high availability desktops, and disasterrecovery capabilities.

This chapter includes the following topics:

n “Understanding Cloud Pod Architecture,” on page 7

n “Configuring and Managing a Cloud Pod Architecture Environment,” on page 8

n “Cloud Pod Architecture Limitations,” on page 8

Understanding Cloud Pod ArchitectureWith the Cloud Pod Architecture feature, you can link together multiple pods to provide a single largedesktop and application brokering and management environment.

A pod consists of a set of Connection Server instances, shared storage, a database server, and the vSphereand network infrastructures required to host desktop and application pools. In a traditional Horizonimplementation, you manage each pod independently. With the Cloud Pod Architecture feature, you canjoin together multiple pods to form a single Horizon implementation called a pod federation.

A pod federation can span multiple sites and datacenters and simultaneously simplify the administrationeffort required to manage a large-scale Horizon deployment.

The following diagram is an example of a basic Cloud Pod Architecture topology.

Figure 1‑1. Basic Cloud Pod Architecture Topology

SecurityServerUser

ViewConnection

Server

ViewConnection

Server

SecurityServer

ViewConnection

Server

ViewConnection

Server

SecurityServer

SecurityServer

London Pod

London Datacenter

Interpodcommunication

Remotedesktop orapplication

New York Pod

New York Datacenter

Global Data Layer

VMware, Inc. 7

In the example topology, two previously standalone pods in different datacenters are joined together to forma single pod federation. An end user in this environment can connect to a Connection Server instance in theNew York datacenter and receive a desktop or application in the London data center.

Sharing Key Data in the Global Data LayerConnection Server instances in a pod federation use the Global Data Layer to share key data. Shared dataincludes information about the pod federation topology, user and group entitlements, policies, and otherCloud Pod Architecture configuration information.

In a Cloud Pod Architecture environment, shared data is replicated on every Connection Server instance in apod federation. Entitlement and topology configuration information stored in the Global Data Layerdetermines where and how desktops are allocated across the pod federation.

Horizon sets up the Global Data Layer on each Connection Server instance in a pod federation when youinitialize the Cloud Pod Architecture feature.

Sending Messages Between PodsConnection Server instances communicate in a Cloud Pod Architecture environment by using an interpodcommunication protocol called the View InterPod API (VIPA).

Connection Server instances use the VIPA communication channel to launch new desktops, find existingdesktops, and share health status data and other information. Horizon configures the VIPA communicationchannel when you initialize the Cloud Pod Architecture feature.

Configuring and Managing a Cloud Pod Architecture EnvironmentYou use Horizon Administrator and the lmvutil command-line interface to configure and manage a CloudPod Architecture environment. lmvutil is installed as part of the Horizon installation. You can also useHorizon Administrator to view pod health and session information.

Cloud Pod Architecture LimitationsThe Cloud Pod Architecture feature has certain limitations.

n The Cloud Pod Architecture feature is not supported in an IPv6 environment.

n Kiosk mode clients are not supported in a Cloud Pod Architecture implementation unless youimplement a workaround. For instructions, see VMware Knowledge Base (KB) article 2148888.


8 VMware, Inc.

http://kb.vmware.com/kb/2148888

Designing a Cloud Pod ArchitectureTopology 2

Before you begin to configure the Cloud Pod Architecture feature, you must make decisions about yourCloud Pod Architecture topology. Cloud Pod Architecture topologies can vary, depending on your goals, theneeds of your users, and your existing Horizon implementation. If you are joining existing Horizon pods toa pod federation, your Cloud Pod Architecture topology is typically based on your existing networktopology.


n “Creating Cloud Pod Architecture Sites,” on page 9

n “Entitling Users and Groups in the Pod Federation,” on page 10

n “Finding and Allocating Desktops and Applications in the Pod Federation,” on page 10

n “Considerations for Unauthenticated Users,” on page 12

n “Global Entitlement Example,” on page 13

n “Restricting Access to Global Entitlements,” on page 13

n “Considerations for Workspace ONE Mode,” on page 15

n “Cloud Pod Architecture Topology Limits,” on page 16

n “Cloud Pod Architecture Port Requirements,” on page 16

n “Security Considerations for Cloud Pod Architecture Topologies,” on page 16

Creating Cloud Pod Architecture SitesIn a Cloud Pod Architecture environment, a site is a collection of well-connected pods in the same physicallocation, typically in a single datacenter. The Cloud Pod Architecture feature treats pods in the same siteequally.

When you initialize the Cloud Pod Architecture feature, it places all pods into a default site called DefaultFirst Site. If you have a large implementation, you might want to create additional sites and add pods tothose sites.

The Cloud Pod Architecture feature assumes that pods in the same site are on the same LAN, and that podsin different sites are on different LANs. Because WAN-connected pods have slower network performance,the Cloud Pod Architecture feature gives preference to desktops and applications that are in the local pod orsite when it allocates desktops and applications to users.

Sites can be a useful part of a disaster recovery solution. For example, you can assign pods in differentdatacenters to different sites and entitle users and groups to pools that span those sites. If a datacenter inone site becomes unavailable, you can use desktops and applications from the available site to satisfy userrequests.

VMware, Inc. 9

Entitling Users and Groups in the Pod FederationIn a traditional Horizon environment, you use Horizon Administrator to create local entitlements. Theselocal entitlements entitle users and groups to a specific desktop or application pool on a Connection Serverinstance.

In a Cloud Pod Architecture environment, you create global entitlements to entitle users or groups tomultiple desktops and applications across multiple pods in the pod federation. When you use globalentitlements, you do not need to configure and manage local entitlements. Global entitlements simplifyadministration, even in a pod federation that contains a single pod.

Global entitlements are stored in the Global Data Layer. Because global entitlements are shared data, globalentitlement information is available on all Connection Server instances in the pod federation.

You entitle users and groups to desktops by creating global desktop entitlements. Each global desktopentitlement contains a list of member users or groups, a list of the desktop pools that can provide desktopsfor entitled users, and a scope policy. The desktop pools in a global entitlement can be either floating ordedicated pools. You specify whether a global entitlement is floating or dedicated during global entitlementcreation.

You entitle users and groups to applications by creating global application entitlements. Each globalapplication entitlement contains a list of the member users or groups, a list of the application pools that canprovide applications for entitled users, and a scope policy.

A global entitlement's scope policy specifies where Horizon looks for desktops or applications when itallocates desktops or applications to users in the global entitlement. It also determines whether Horizonlooks for desktops or applications in any pod in the pod federation, in pods that reside in the same site, oronly in the pod to which the user is connected.

As a best practice, you should not configure local and global entitlements for the same desktop pool. Forexample, if you create both local and global entitlements for the same desktop pool, the same desktop mightappear as a local and a global entitlement in the list of desktops and applications that Horizon Client showsto an entitled user. Similarly, you should not configure both local and global entitlements for applicationpools created from the same farm.

Finding and Allocating Desktops and Applications in the PodFederation

Connection Server instances in a Cloud Pod Architecture environment use shared global entitlement andtopology configuration information from the Global Data Layer to determine where to search for and how toallocate desktops and applications across the pod federation.

When a user requests a desktop or application from a global entitlement, Horizon searches for an availabledesktop or application in the pools that are associated with that global entitlement. By default, Horizongives preference to the local pod, the local site, and pods in other sites, in that order.

For global desktop entitlements that contain dedicated desktop pools, Horizon uses the default searchbehavior only the first time a user requests a desktop. After Horizon allocates a dedicated desktop, it returnsthe user directly to the same desktop.

You can modify the search and allocation behavior for individual global entitlements by setting the scopepolicy and configuring home sites.


10 VMware, Inc.

Understanding the Scope PolicyWhen you create a global desktop entitlement or global application entitlement, you must specify its scopepolicy. The scope policy determines the scope of the search when Horizon looks for desktops or applicationsto satisfy a request from the global entitlement.

You can set the scope policy so that Horizon searches only on the pod to which the user is connected, onlyon pods within the same site as the user's pod, or across all pods in the pod federation.

For global desktop entitlements that contain dedicated pools, the scope policy affects where Horizon looksfor desktops the first time a user requests a dedicated desktop. After Horizon allocates a dedicated desktop,it returns the user directly to the same desktop.

Understanding the Multiple Sessions Per User PolicyWhen you create a global desktop entitlement, you can specify whether users can initiate separate desktopsessions from different client devices. The multiple sessions per user policy applies only to global desktopentitlements that contain floating desktop pools.

When you enable the multiple sessions per user policy, users that connect to the global entitlement fromdifferent client devices receive different desktop sessions. To reconnect to an existing desktop session, usersmust use the same device from which that session was initiated. If you do not enable this policy, users arealways reconnected to their existing desktop sessions, regardless of the client device that they use.

If you enable the multiple sessions per user policy for a global entitlement, all of the desktop poolsassociated with the global entitlement must also support multiple users per session.

Using Home SitesA home site is a relationship between a user or group and a Cloud Pod Architecture site. With home sites,Horizon begins searching for desktops and applications from a specific site rather than searching fordesktops and applications based on the user's current location.

If the home site is unavailable or does not have resources to satisfy the user's request, Horizon continuessearching other sites according to the scope policy set for the global entitlement.

For global desktop entitlements that contain dedicated pools, the home site affects where Horizon looks fordesktops the first time a user requests a dedicated desktop. After Horizon allocates a dedicated desktop, itreturns the user directly to the same desktop.

The Cloud Pod Architecture feature includes the following types of home site assignments.

Global home site A home site that is assigned to a user or group.

If a user who has a home site belongs to a group that is associated with adifferent home site, the home site associated with the user takes precedenceover the group home site assignment.

Chapter 2 Designing a Cloud Pod Architecture Topology

VMware, Inc. 11

Global homes sites are useful for controlling where roaming users receivedesktops and applications. For example, if a user has a home site in NewYork but is visiting London, Horizon begins looking in the New York site tosatisfy the user's desktop request rather than allocating a desktop closer tothe user. Global home site assignments apply for all global entitlements.

Important Global entitlements do not recognize home sites by default. Tomake a global entitlement use home sites, you must select the Use home siteoption when you create or modify the global entitlement.

Per-global-entitlementhome site (home siteoverride)

A home site that is associated with a global entitlement.

Per-global-entitlement home sites override global home site assignments. Forthis reason, per-global-entitlement home sites are also referred to as homesite overrides.

For example, if a user who has a home site in New York accesses a globalentitlement that associates that user with the London home site, Horizonbegins looking in the London site to satisfy the user's application requestrather than allocating an application from the New York site.

Configuring home sites is optional. If a user does not have a home site, Horizon searches for and allocatesdesktops and applications as described in “Finding and Allocating Desktops and Applications in the PodFederation,” on page 10.

Considerations for Unauthenticated UsersA Horizon administrator can create users for unauthenticated access to published applications on aConnection Server instance. In a Cloud Pod Architecture environment, you can entitle these unauthenticatedusers to applications across the pod federation by adding them to global application entitlements.

Following are considerations for unauthenticated users in a Cloud Pod Architecture environment.

n Unauthenticated users can have only global application entitlements. If an unauthenticated user isincluded in a global desktop entitlement, a warning icon appears next to the name on the Users andGroups tab for the global desktop entitlement in Horizon Administrator.

n When you join a pod to the pod federation, unauthenticated user data is migrated to the Global DataLayer. If you unjoin or eject a pod that contains unauthenticated users from the pod federation,unauthenticated user data for that pod is removed from the Global Data Layer.

n You can have only one unauthenticated user for each Active Directory user. If the same user alias ismapped to more than one Active Directory user, Horizon Administrator displays an error message onthe Unauthenticated Access tab on the Users and Groups pane.

n You can assign home sites to unauthenticated users.

n Unauthenticated users can have multiple sessions.

For information about setting up unauthenticated users, see the View Administration document.


12 VMware, Inc.

Global Entitlement ExampleIn this example, NYUser1 is a member of the global desktop entitlement called My Global Pool. My GlobalPool provides an entitlement to three floating desktop pools, called pool1, pool2, and pool3. pool1 and pool2are in a pod called NY Pod in the New York datacenter and pool3 and pool4 are in a pod called LDN Pod inthe London datacenter.

Figure 2‑1. Global Entitlement Example

New York Datacenter

Pod Federation

Global Entitlement“My Global Pool”

Members:NYUser1NYUser2

Pools:pool1pool2pool3

Scope: Any

pool1 pool2

NY Pod

London Datacenter

pool3 pool4

LDN Pod

NYUser1

Because My Global Pool has a scope policy of ANY, the Cloud Pod Architecture feature looks for desktopsacross both NY Pod and LDN Pod when NYUser1 requests a desktop. The Cloud Pod Architecture featuredoes not try to allocate a desktop from pool4 because pool4 is not part of My Global Pool.

If NYUser1 logs into NY Pod, the Cloud Pod Architecture feature allocates a desktop from pool1 or pool2, ifa desktop is available. If a desktop is not available in either pool1 or pool2, the Cloud Pod Architecturefeature allocates a desktop from pool3.

For an example of restricted global entitlements, see “Restricted Global Entitlement Example,” on page 14.

Restricting Access to Global EntitlementsYou can configure the restricted global entitlements feature to restrict access to global entitlements based onthe Connection Server instance that users initially connect to when they select global entitlements.

With restricted global entitlements, you assign one or more tags to a Connection Server instance. Then,when you configure a global entitlement, you specify the tags of the Connection Server instances that youwant to have access to the global entitlement.

You can add tags to global desktop entitlements and global application entitlements.

Tag MatchingThe restricted global entitlements feature uses tag matching to determine whether a Connection Serverinstance can access a particular global entitlement.

At the most basic level, tag matching determines that a Connection Server instance that has a specific tag canaccess a global entitlement that has the same tag.

The absence of tag assignments can also affect whether users that connect to a Connection Server instancecan access a global entitlement. For example, Connection Server instances that do not have any tags can onlyaccess global entitlements that also do not have any tags.


VMware, Inc. 13

Table 2-1 shows how tag matching determines when a Connection Server instance can access a globalentitlement.

Table 2‑1. Tag Matching Rules

Connection Server Global Entitlement Access Permitted?

No tags No tags Yes

No tags One or more tags No

One or more tags No tags Yes

One or more tags One or more tags Only when tags match

The restricted global entitlements feature only enforces tag matching. You must design your networktopology to force certain clients to connect through a particular Connection Server instance.

Considerations and Limitations for Restricted Global EntitlementsBefore implementing restricted global entitlements, you must be aware of certain considerations andlimitations.

n A single Connection Server instance or global entitlement can have multiple tags.

n Multiple Connection Server instances and global entitlements can have the same tag.

n Any Connection Server instance can access a global entitlement that does not have any tags.

n Connection Server instances that do not have any tags can access only global entitlements that also donot have any tags.

n If you use a security server, you must configure restricted entitlements on the Connection Serverinstance with which the security server is paired. You cannot configure restricted entitlements on asecurity server.

n Restricted global entitlements take precedence over other entitlements or assignments. For example,even if a user is assigned to a particular machine, the user cannot access that machine if the tag assignedto the global entitlement does not match the tag assigned to the Connection Server instance to which theuser is connected.

n If you intend to provide access to your global entitlements through VMware Identity Manager and youconfigure Connection Server restrictions, the VMware Identity Manager app might display globalentitlements to users when the global entitlements are actually restricted. When aVMware Identity Manager user attempts to connect to a global entitlement, the desktop or applicationdoes not start if the tag assigned to the global entitlement does not match the tag assigned to theConnection Server instance to which the user is connected.

Restricted Global Entitlement ExampleThis example shows a Cloud Pod Architecture environment that includes two pods. Both pods contain twoConnection Server instances. The first Connection Server instance supports internal users and the secondConnection Server instance is paired with a security server and supports external users.

To prevent external users from accessing certain desktop and application pools, you could assign tags asfollows:

n Assign the tag "Internal" to the Connection Server instance that support your internal users.

n Assign the tag "External" to the Connection Server instances that support your external users.

n Assign the "Internal" tag to the global entitlements that should be accessible only to internal users.

n Assign the "External" tag to the global entitlements that should be accessible only to external users.


14 VMware, Inc.

External users cannot see the global entitlements that are tagged as Internal because they log in through theConnection Server instances that are tagged as External. Internal users cannot see the global entitlementsthat are tagged as External because they log in through the Connection Server instances that are tagged asInternal.

In the following diagram, User1 connects to the Connection Server instance called CS1. Because CS1 istagged Internal and Global Entitlement 1 is also tagged internal, User1 can only see Global Entitlement 1.Because Global Entitlement 1 contains pools secret1 and secret2, User1 can only receive desktops orapplications from the secret1 and secret2 pools.

Figure 2‑2. Restricted Global Entitlement Example

CS1Tag:

Internal

CS2Tag:

ExternalUser1

Pool:public1

Pool:secret1

Global Entitlement 1

Tags: InternalPools: secret1, secret2Members: all users

Global Entitlement 2

Tags: ExternalPools: public1, public2Members: all users

Pod 1

Pod Federation

CS3Tag:

Internal

CS4Tag:

External

Pool:public2

Pool:secret2

Pod 2

Considerations for Workspace ONE ModeIf a Horizon administrator enables Workspace ONE mode for a Connection Server instance, Horizon Clientusers can be redirected to a Workspace ONE server to launch their entitlements.

During Workspace ONE mode configuration, a Horizon administrator specifies the host name of theWorkspace ONE server. In a Cloud Pod Architecture environment, every pod in the pod federation must beconfigured to point to the same Workspace ONE server.

For information about configuring Workspace ONE mode, see "Configure Workspace ONE Access Policiesin Horizon Administrator" in the View Administration document.


VMware, Inc. 15

Cloud Pod Architecture Topology LimitsA typical Cloud Pod Architecture topology consists of two or more pods, which are linked together in a podfederation. Pod federations are subject to certain limits.

Table 2‑2. Pod Federation Limits

Object Limit

Total sessions 120,000

Pods 25

Sessions per pod 10,000

Sites 5

Connection Server instances 175

Cloud Pod Architecture Port RequirementsCertain network ports must be opened on the Windows firewall for the Cloud Pod Architecture feature towork. When you install Connection Server, the installation program can optionally configure the requiredfirewall rules for you. These rules open the ports that are used by default. If you change the default portsafter installation, or if your network has other firewalls, you must manually configure the Windows firewall.

Table 2‑3. Ports Opened During Connection Server Installation

ProtocolTCPPort Description

HTTP 22389 Used for Global Data Layer LDAP replication. Shared data is replicated on every ConnectionServer instance in a pod federation. Each Connection Server instance in a pod federation runs asecond LDAP instance to store shared data.

HTTPS 22636 Used for secure Global Data Layer LDAP replication.

HTTPS 8472 Used for View Interpod API (VIPA) communication. Connection Server instances use the VIPAcommunication channel to launch new desktops and applications, find existing desktops, andshare health status data and other information.

Security Considerations for Cloud Pod Architecture TopologiesTo use Horizon Administrator or the lmvutil command to configure and manage a Cloud Pod Architectureenvironment, you must have the Administrators role. Users who have the Administrators role on the rootaccess group are super users.

When a Connection Server instance is part of a replicated group of Connection Server instances, the rights ofsuper users are extended to other Connection Server instances in the pod. Similarly, when a pod is joined toa pod federation, the rights of super users are extended to all of the Connection Server instances in all of thepods in the pod federation. These rights are necessary to modify global entitlements and perform otheroperations on the Global Data Layer.

If you do not want certain super users to be able to perform operations on the Global Data Layer, you canremove the Administrators role assignment and assign the Local Administrators role instead. Users whohave the Local Administrators role have super user rights only on their local Connection Server instance andon any instances in a replicated group.

For information about assigning roles in Horizon Administrator, see the View Administration document.


16 VMware, Inc.

Setting Up a Cloud Pod ArchitectureEnvironment 3

Setting up a Cloud Pod Architecture environment involves initializing the Cloud Pod Architecture feature,joining pods to the pod federation, and creating global entitlements.

You must create and configure at least one global entitlement to use the Cloud Pod Architecture feature. Youcan optionally create sites and assign home sites.


n “Initialize the Cloud Pod Architecture Feature,” on page 17

n “Join a Pod to the Pod Federation,” on page 18

n “Assign a Tag to a Connection Server Instance,” on page 19

n “Create and Configure a Global Entitlement,” on page 20

n “Add a Pool to a Global Entitlement,” on page 22

n “Create and Configure a Site,” on page 23

n “Assign a Home Site to a User or Group,” on page 24

n “Create a Home Site Override,” on page 25

n “Test a Cloud Pod Architecture Configuration,” on page 25

n “Example: Setting Up a Basic Cloud Pod Architecture Configuration,” on page 26

Initialize the Cloud Pod Architecture FeatureBefore you configure a Cloud Pod Architecture environment, you must initialize the Cloud Pod Architecturefeature.

You need to initialize the Cloud Pod Architecture feature only once, on the first pod in a pod federation. Toadd pods to the pod federation, you join the new pods to the initialized pod.

During the initialization process, Horizon sets up the Global Data Layer on each Connection Server instancein the pod, configures the VIPA communication channel, and establishes a replication agreement betweeneach Connection Server instance.

Procedure

1 Log in to the Horizon Administrator user interface for any Connection Server instance in the pod.

You can initialize the Cloud Pod Architecture feature from any Connection Server instance in a pod.

2 In Horizon Administrator, select View Configuration > Cloud Pod Architecture and click Initialize theCloud Pod Architecture feature.

VMware, Inc. 17

3 When the Initialize dialog box appears, click OK to begin the initialization process.

Horizon Administrator shows the progress of the initialization process. The initialization process cantake several minutes.

After the Cloud Pod Architecture feature is initialized, the pod federation contains the initialized podand a single site. The default pod federation name is Horizon Cloud Pod Federation. The default podname is based on the host name of the Connection Server instance. For example, if the host name is CS1,the pod name is Cluster-CS1. The default site name is Default First Site.

4 When Horizon Administrator prompts you to reload the client, click OK.

After the Horizon Administrator user interface is refreshed, Global Entitlements appears underCatalog and Sites appears under View Configuration in the Horizon Administrator Inventory panel.

5 (Optional) To change the default name of the pod federation, select View Configuration > Cloud PodArchitecture, click Edit, type the new name in the Name text box, and click OK.

6 (Optional) To change the default name of the pod, select View Configuration > Sites, select the pod,click Edit, type the new name in the Name text box, and click OK.

7 (Optional) To change the default name of the site, select View Configuration > Sites, select the site, clickEdit, type the new name in the Name text box, and click OK.

What to do next

To add more pods to the pod federation, see “Join a Pod to the Pod Federation,” on page 18.

Join a Pod to the Pod FederationDuring the Cloud Pod Architecture initialization process, the Cloud Pod Architecture feature creates a podfederation that contains a single pod. You can use Horizon Administrator to join additional pods to the podfederation. Joining additional pods is optional.

Important Do not stop or start a Connection Server instance while you are joining it to a pod federation.The Connection Server service might not restart correctly. You can stop and start the Connection Server afterit is successfully joined to the pod federation.

Prerequisites

n Make sure the Connection Server instances that you want to join have different host names. You cannotjoin servers that have the same name, even if they are in different domains.

n Initialize the Cloud Pod Architecture feature. See “Initialize the Cloud Pod Architecture Feature,” onpage 17.

Procedure

1 Log in to the Horizon Administrator user interface for a Connection Server instance in the pod that youare joining to the pod federation.

2 In Horizon Administrator, select View Configuration > Cloud Pod Architecture and click Join the podfederation.

3 In the Connection Server text box, type the host name or IP address of any Connection Server instancein any pod that has been initialized or is already joined to the pod federation.

4 In the User name text box, type the name of a Horizon administrator user on the already initializedpod.

Use the format domain\username.

5 In the Password text box, type the password for the Horizon administrator user.


18 VMware, Inc.

6 Click OK to join the pod to the pod federation.

Horizon Administrator shows the progress of the join operation. The default pod name is based on thehost name of the Connection Server instance. For example, if the host name is CS1, the pod name isCluster-CS1.


After the Horizon Administrator user interface is refreshed, Global Entitlements appears underCatalog and Sites appears under View Configuration in the Horizon Administrator Inventory panel.

8 (Optional) To change the default name of the pod, select View Configuration > Sites, select the pod,click Edit, type the new name in the Name text box, and click OK.

After the pod is joined to the pod federation, it begins to share health data. You can view this health data onthe dashboard in Horizon Administrator. See “View Pod Federation Health in Horizon Administrator,” onpage 32.

Note A short delay might occur before health data is available in Horizon Administrator.

What to do next

You can repeat these steps to join additional pods to the pod federation.

Assign a Tag to a Connection Server InstanceIf you plan to restrict access to a global entitlement based on the Connection Server instance that usersinitially connect to when they select the global entitlement, you must first assign one or more tags to theConnection Server instance.

Prerequisites

Become familiar with the restricted global entitlements feature. See “Restricting Access to GlobalEntitlements,” on page 13.

Procedure

1 Log in to Horizon Administrator for the Connection Server instance.

2 Select View Configuration > Servers.

3 Click the Connection Servers tab, select the Connection Server instance, and click Edit.

4 Type one or more tags in the Tags text box.

Separate multiple tags with a comma or semicolon.

5 Click OK to save your changes.

6 Repeat these steps for each Connection Server instance to which you want to assign tags.

What to do next

When you create or edit a global entitlement, select the tags that are associated with the Connection Serverinstances that you want to access the global entitlement. See “Create and Configure a Global Entitlement,”on page 20, or “Modify Attributes or Policies for a Global Entitlement,” on page 35.

Chapter 3 Setting Up a Cloud Pod Architecture Environment

VMware, Inc. 19

Create and Configure a Global EntitlementYou use global entitlements to entitle users and groups to desktops and applications in a Cloud PodArchitecture environment. Global entitlements provide the link between users and their desktops andapplications, regardless of where those desktops and applications reside in the pod federation.

A global entitlement contains a list of member users or groups, a set of policies, and a list of the pools thatcan provide desktops or applications for entitled users. You can add both users and groups, only users, oronly groups, to a global entitlement.

Prerequisites


n Decide which type of global desktop entitlement to create, the users and groups to include in the globalentitlement, and the scope of the global entitlement. See “Entitling Users and Groups in the PodFederation,” on page 10.

n Decide whether to restrict access to the global entitlement based on the Connection Server instance thatusers initially connect to when they select the global entitlement. See “Restricting Access to GlobalEntitlements,” on page 13.

n If you plan to restrict access to the global entitlement, assign one or more tags to the Connection Serverinstance. See “Assign a Tag to a Connection Server Instance,” on page 19.

n Decide whether the global entitlement uses home sites. See “Using Home Sites,” on page 11.

Procedure

1 Log in to the Horizon Administrator user interface for any Connection Server instance in the podfederation.

2 In Horizon Administrator, select Catalog > Global Entitlements and click Add.

3 Select the type of global entitlement to add and click Next.

Option Description

Desktop Entitlement Adds a global desktop entitlement.

Application Entitlement Adds a global application entitlement.

4 Configure the global entitlement.

a Type a name for the global entitlement in the Name text box.

The name can contain between 1 and 64 characters. This name appears in the list of availabledesktops and applications in Horizon Client for an entitled user.

b (Optional) Type a description of the global entitlement in the Description text box.

The description can contain between 1 and 1024 characters.

c (Optional) To restrict access to the global entitlement, click Browse, select Restricted to these tags,select the tags to associate with the global entitlement, and click OK.

Only the Connection Server instances that have the selected tags can access the global entitlement.

Note You can only select tags assigned to Connection Server instances in the local pod. To selecttags assigned to Connection Server instances in another pod, you must log in to HorizonAdministrator for a Connection Server instance in the other pod and modify the global entitlement.


20 VMware, Inc.

d If you are configuring a global desktop entitlement, select a user assignment policy.

The user assignment policy specifies the type of desktop pool that a global desktop entitlement cancontain. You can select only one user assignment policy.

Option Description

Floating Creates a floating desktop entitlement. A floating desktop entitlementcan contain only floating desktop pools.

Dedicated Creates a dedicated desktop entitlement. A dedicated desktopentitlement can contain only dedicated desktop pools.

e Select a scope policy for the global entitlement.

The scope policy specifies where to look for desktops or applications to satisfy a request from theglobal entitlement. You can select only one scope policy.

Option Description

All sites Look for desktops or applications on any pod in the pod federation.

Within site Look for desktops or applications only on pods in the same site as thepod to which the user is connected.

Within pod Look for desktops or applications only in the pod to which the user isconnected.

f (Optional) If users have home sites, configure a home site policy for the global entitlement.

Option Description

Use home site Begin searching for desktops or applications in the user's home site. Ifthe user does not have a home site and the Entitled user must havehome site option is not selected, the site to which the user is connectedis assumed to be the home site.

Entitled user must have home site Make the global entitlement available only if the user has a home site.This option is available only when the Use home site option is selected.

g (Optional) Use the Automatically clean up redundant sessions option to specify whether to clean

up redundant sessions.

Note This option is available only for floating desktop entitlements and global applicationentitlements.

Multiple sessions can occur when a pod that contains a session goes offline, the user logs in againand starts another session, and the problem pod comes back online with the original session. Whenmultiple sessions occur, Horizon Client prompts the user to select a session. This option determineswhat happens to sessions that the user does not select. If you do not select this option, users mustmanually end their own extra sessions, either by logging off in Horizon Client or by launching thesessions and logging them off.

h Select the default display protocol for desktops or applications in the global entitlement and specifywhether to allow users to override the default display protocol.

i (Global desktop entitlement only) Select whether to allow users to reset desktops in the globaldesktop entitlement.

j Select whether to allow users to use the HTML Access feature to access desktops or applications inthe global entitlement.

When you enable the HTML Access policy, end users can use a Web browser to connect to remotedesktops and applications and are not required to install any client software on their local systems.


VMware, Inc. 21

k (Global desktop entitlement only) Select whether to allow users to initiate separate desktopsessions from different client devices.

When you enable the multiple sessions per user policy, users that connect to the global entitlementfrom different client devices receive different desktop sessions. To reconnect to an existing desktopsession, users must use the same device from which that session was initiated. If you do not enablethis policy, users are always reconnected to their existing desktop sessions, regardless of the clientdevice that they use. You can enable this policy only for floating desktop entitlements.

Note If you enable this policy, all the desktop pools in the global entitlement must also supportmultiple sessions per user.

l (Global application entitlement only) Select whether to launch the application session before a useropens the global application entitlement in Horizon Client.

When you enable the pre-launch policy, users can launch the global application entitlement morequickly.

Note If you enable this policy, all the application pools in the global application entitlement mustalso support the session pre-launch feature, and the pre-launch session timeout must be the samefor all farms.

5 Click Next and add users or groups to the global entitlement.

a Click Add, select one or more search criteria, and click Find to filter users or groups based on yoursearch criteria.

You can select the Unauthenticated Users check box to find and add unauthenticated access usersto global application entitlements. You cannot add unauthenticated access users to global desktopentitlements. If you attempt to add an unauthenticated access user to a global desktop entitlement,Horizon Administrator returns an error message.

b Select the user or group to add to the global entitlement and click OK.

You can press the Ctrl and Shift keys to select multiple users and groups.

6 Click Next, review the global entitlement configuration, and click Finish to create the globalentitlement.

The global entitlement appears on the Global Entitlements page.

The Cloud Pod Architecture feature stores the global entitlement in the Global Data Layer, which replicatesthe global entitlement on every pod in the pod federation.

What to do next

Select the pools that can provide desktops or applications for the users in the global entitlement that youcreated. See “Add a Pool to a Global Entitlement,” on page 22.

Add a Pool to a Global EntitlementYou can use Horizon Administrator to add a desktop pool to an existing global desktop entitlement, or addan application pool to an existing global application entitlement.

You can add multiple pools to a global entitlement, but you can add a particular pool to only one globalentitlement.


22 VMware, Inc.

If you add multiple application pools to a global application entitlement, you must add the sameapplication. For example, do not add Calculator and Microsoft Office PowerPoint to the same globalapplication entitlement. If you add different applications to the same global application entitlement, entitledusers might receive different applications at different times.

Note If a Horizon administrator changes the pool-level display protocol or protocol override policy after adesktop pool is associated with a global desktop entitlement, users can receive a desktop launch error whenthey select the global desktop entitlement. If a Horizon administrator changes the pool-level virtual machinereset policy after a desktop pool is associated with the global desktop entitlement, users can receive an errorif they try to reset the desktop.

Prerequisites

n Create and configure the global entitlement. See “Create and Configure a Global Entitlement,” onpage 20.

n Create the desktop or application pool to add to the global entitlement. See the Setting Up VirtualDesktops in Horizon 7 or Setting Up Published Desktops and Applications in Horizon 7 document.

Procedure

1 Log in to the Horizon Administrator user interface for any Connection Server instance in the pod thatcontains the pool to add to the global entitlement.

2 In Horizon Administrator, select Catalog > Global Entitlements.

3 Double-click the global entitlement.

4 On the Local Pools tab, click Add, select the desktop or application pool to add, and click Add.

You can press the Ctrl and Shift keys to select multiple pools.

Note Pools that are already associated with a global entitlement or that do not meet the criteria for theglobal entitlement policies you selected are not displayed. For example, if you enabled theHTML Access policy, you cannot select pools that do not allow HTML Access.

5 Repeat these steps on a Connection Server instance in each pod that contains a pool to add to the globalentitlement.

When an entitled user uses Horizon Client to connect to a Connection Server instance in the pod federation,the global entitlement name appears in the list of available desktops and applications.

Create and Configure a SiteIf your Cloud Pod Architecture topology contains multiple pods, you might want to group those pods intodifferent sites. The Cloud Pod Architecture feature treats pods in the same site equally.

Prerequisites

n Decide whether your Cloud Pod Architecture topology should include sites. See “Creating Cloud PodArchitecture Sites,” on page 9.


Procedure



VMware, Inc. 23

2 Create the site.

a In Horizon Administrator, select View Configuration > Sites and click Add.

b Type a name for the site in the Name text box.

The site name can contain between 1 and 64 characters.

c (Optional) Type a description of the site in the Description text box.

The site name can contain between 1 and 1024 characters.

d Click OK to create the site.

3 Add a pod to the site.

Repeat this step for each pod to add to the site.

a In Horizon Administrator, select View Configuration > Sites and select the site that currentlycontains the pod to add to the site.

The names of the pods in the site appear in the lower pane.

b Select the pod to add to the site and click Edit.

c Select the site from the Site drop-down menu and click OK.

Assign a Home Site to a User or GroupA home site is the relationship between a user or group and a Cloud Pod Architecture site. With home sites,Horizon begins searching for desktops and applications from a specific site rather than searching fordesktops and applications based on the user's current location. Assigning home sites is optional.

You can associate a global entitlement with a home site so that the global entitlement's home site overrides auser's own home site when a user selects the global entitlement. For more information, see “Create a HomeSite Override,” on page 25.

Prerequisites

n Decide whether to assign home sites to users or groups in your Cloud Pod Architecture environment.See “Using Home Sites,” on page 11.

n Group the pods in your pod federation into sites. See “Create and Configure a Site,” on page 23.

n Global entitlements do not use home sites by default. When creating a global entitlement, you mustselect the Use home site option to cause Horizon to use a user's home site when allocating desktopsfrom that global entitlement. See “Create and Configure a Global Entitlement,” on page 20.


Procedure


2 In Horizon Administrator, select Users and Groups and click the Home Site tab.

3 On the Home Site tab, click Add.

4 Select one or more search criteria and click Find to filter the users or groups based on your searchcriteria.

You can select the Unauthenticated Users check box to find unauthenticated access users in the podfederation.

5 Select a user or group and click Next.


24 VMware, Inc.

6 Select the home site to assign to the user or group from the Home Site drop-down menu and clickFinish.

Create a Home Site OverrideYou can associate a global entitlement with a home site so that the global entitlement's home site overrides auser's own home site when the user selects the global entitlement.

To create a home site override, you associate a home site with a global entitlement and a particular user orgroup. When the user (or a user in the selected group) accesses the global entitlement, the globalentitlement's home site overrides the user's own home site.

For example, if a user who has a home site in New York accesses a global entitlement that associates thatuser with the London home site, Horizon looks in the London site to satisfy the user's application requestrather than allocating an application from the New York site.

Prerequisites

n Verify that the global entitlement has the Use home site policy enabled. For more information, see “Modify Attributes or Policies for a Global Entitlement,” on page 35.

n Verify that the user or group is included in the global entitlement. For more information, see “Add aUser or Group to a Global Entitlement,” on page 34.

Procedure



3 Double-click the global entitlement to associate with a home site.

4 On the Home Site Override tab, click Add.

Note The Add button is not available if the Use home site policy is not enabled for the globalentitlement.

5 Select one or more search criteria and click Find to filter Active Directory users and groups based onyour search criteria.

6 Select the Active Directory user or group that has a home site you want to override.

The user or group must already be included in the global entitlement you selected.

7 Select the home site to associate with the global entitlement from the Home Site drop-down menu.

8 Click Finish to create the home site override.

Test a Cloud Pod Architecture ConfigurationAfter you initialize and configure a Cloud Pod Architecture environment, perform certain steps to verifythat your environment is set up properly.

Prerequisites

n Install the latest version of Horizon Client on a supported computer or mobile device.

n Verify that you have credentials for a user in one of your newly created global entitlements.

Procedure

1 Start Horizon Client.


VMware, Inc. 25

2 Connect to any Connection Server instance in the pod federation by using the credentials of a user inone of your new global entitlements.

After you connect to the Connection Server instance, the global entitlement name appears in the list ofavailable desktops and applications.

3 Select the global entitlement and connect to a desktop or application.

The desktop or application starts successfully. Which desktop or application starts depends on theindividual configuration of the global entitlement, pods, and desktop and application pools. The Cloud PodArchitecture feature attempts to allocate a desktop or application from the pod to which you are connected.

What to do next

If the global entitlement does not appear when you connect to the Connection Server instance, use HorizonAdministrator to verify that the entitlement is configured correctly. If the global entitlement appears but adesktop or application does not start, all desktop or application pools might be fully assigned to other users.

Example: Setting Up a Basic Cloud Pod Architecture ConfigurationThis example demonstrates how you can use the Cloud Pod Architecture feature to complete a Cloud PodArchitecture configuration.

In this example, a health insurance company has a mobile sales force that operates across two regions, theCentral region and the Eastern region. Sales agents use mobile devices to present insurance policy quotes tocustomers and customers view and sign digital documents.

Rather than store customer data on their mobile devices, sales agents use standardized floating desktops.Access to customer data is kept secure in the health insurance company's datacenters.

The health insurance company has a data center in each region. Occasional capacity problems cause salesagents to look for available desktops in a non-local data center, and WAN latency problems sometimesoccur. If sales agents disconnect from desktops but leave their sessions logged in, they must rememberwhich datacenter hosted their sessions to reconnect to their desktops.

To solve these problems, the health insurance company designs a Cloud Pod Architecture topology,initializes the Cloud Pod Architecture feature, joins its existing pods to the pod federation, creates sites foreach of its data centers, entitles its sales agents to all of its desktop pools, and implements a single URL.

1 Designing the Example Topology on page 27The insurance company designs a Cloud Pod Architecture topology that includes a site for eachregion.

2 Initializing the Example Configuration on page 27To initialize the Cloud Pod Architecture feature, the Horizon administrator logs in to the HorizonAdministrator user interface for a Connection Server instance in East Pod 1, selects ViewConfiguration > Cloud Pod Architecture, and clicks Initialize the Cloud Pod Architecture feature.

3 Joining Pods in the Example Configuration on page 28The Horizon administrator uses Horizon Administrator to join Central Pod 1 and Central Pod 2 to thepod federation.

4 Creating Sites in the Example Configuration on page 28The Horizon administrator uses Horizon Administrator to create a site for the Eastern and Centraldatacenters and adds pods to those sites.

5 Creating Global Desktop Entitlements in the Example Configuration on page 28The Horizon administrator uses Horizon Administrator to create a single global desktop entitlementthat entitles all sales agents to all desktops in the sales agent desktop pools across all pods in the podfederation.


26 VMware, Inc.

6 Creating a URL for the Example Configuration on page 29The insurance company uses a single URL and employs a DNS service to resolve sales.example to thenearest pod in the nearest data center. With this arrangement, sales agents do not need to rememberdifferent URLs for each pod and are always directed to the nearest data center, regardless of wherethey are located.

Designing the Example TopologyThe insurance company designs a Cloud Pod Architecture topology that includes a site for each region.

Figure 3‑1. Example Cloud Pod Architecture Topology

east1.example

East Pod 1

Eastern Region

east2.example east3.example

east4.example east5.example

central1.example

Central Pod 1

Central Region

central2.example central3.example


central6.example

Central Pod 2



Sales A Sales B

Sales A

Sales B

Sales A

Sales B

In this topology, the Eastern region site contains a single pod, East Pod 1, that consists of five ConnectionServer instances called east1.example through east5.example.

The Central region site contains two pods, Central Pod 1 and Central Pod 2. Each pod contains fiveConnection Server instances. The Connection Servers in the first pod are called central1.example throughcentral5.example. The Connection Server instances in the second pod are called central6.example throughcentral10.example.

Each pod in the topology contains two desktop pools of sales agent desktops, called Sales A and Sales B.

Initializing the Example ConfigurationTo initialize the Cloud Pod Architecture feature, the Horizon administrator logs in to the HorizonAdministrator user interface for a Connection Server instance in East Pod 1, selects View Configuration >Cloud Pod Architecture, and clicks Initialize the Cloud Pod Architecture feature.

Because the Horizon administrator uses the Horizon Administrator user interface for a Connection Serverinstance in East Pod 1, the pod federation initially contains East Pod 1. The pod federation also contains asingle site, called Default First Site, which contains East Pod 1.


VMware, Inc. 27

Joining Pods in the Example ConfigurationThe Horizon administrator uses Horizon Administrator to join Central Pod 1 and Central Pod 2 to the podfederation.

1 To join Central Pod 1, the Horizon administrator logs in to the Horizon Administrator user interface fora Connection Server instance in Central Pod 1, selects View Configuration > Cloud Pod Architecture,clicks Join the pod federation, and provides the host name or IP address of a Connection Serverinstance in East Pod 1.

Central Pod 1 is now joined to the pod federation.

2 To join Central Pod 2, the Horizon administrator logs in to the Horizon Administrator user interface fora Connection Server instance in Central Pod 2, selects View Configuration > Cloud Pod Architecture,clicks Join the pod federation, and provides the host name or IP address of a Connection Serverinstance in East Pod 1 or Central Pod 1.

Central Pod 2 is now joined to the pod federation.

After Central Pod 1 and Central Pod 2 are joined to the pod federation, all 10 Connection Server instancesacross both pods in the Central region are part of the pod federation.

Creating Sites in the Example ConfigurationThe Horizon administrator uses Horizon Administrator to create a site for the Eastern and Centraldatacenters and adds pods to those sites.

1 The Horizon administrator logs in to the Horizon Administrator user interface for any ConnectionServer instance in the pod federation.

2 To create a site for the Eastern datacenter, the Horizon administrator selects View Configuration > Sitesand clicks Add.

3 To create a site for the Central datacenter, the Horizon administrator selects View Configuration > Sitesand clicks Add.

4 To move East Pod 1 to the site for the Eastern datacenter, the Horizon administrator selects ViewConfiguration > Sites, selects the site that currently contains East Pod 1, selects East Pod 1, clicks Edit,and selects the Eastern datacenter site from the Site drop-down menu.

5 To move Central Pod 1 to the site for the Central datacenter, the Horizon administrator selects ViewConfiguration > Sites, selects the site that currently contains Central Pod 1, selects Central Pod 1, clicksEdit, and selects the Central datacenter site from the Site drop-down menu.

6 To move Central Pod 2 to the site for the Central datacenter, the Horizon administrator selects ViewConfiguration > Sites, selects the site that currently contains Central Pod 2, selects Central Pod 2, clicksEdit, and selects the Central datacenter site from the Site drop-down menu.

The pod federation site topology now reflects the geographic distribution of pods in the insurancecompany's network.

Creating Global Desktop Entitlements in the Example ConfigurationThe Horizon administrator uses Horizon Administrator to create a single global desktop entitlement thatentitles all sales agents to all desktops in the sales agent desktop pools across all pods in the pod federation.

1 To create and add users to the global desktop entitlement, the Horizon administrator logs in to theHorizon Administrator user interface for a Connection Server in the pod federation, selects Catalog >Global Entitlements, clicks Add, and selects Desktop Entitlement.


28 VMware, Inc.

The Horizon administrator adds the Sales Agents group to the global desktop entitlement. The SalesAgent group is defined in Active Directory and contains all sales agent users. Adding the Sales Agentgroup to the Agent Sales global desktop entitlement enables sales agents to access the Sales A and SalesB desktop pools on the pods in the Eastern and Central regions.

2 To add the desktop pools in East Pod 1 to the global desktop entitlement, the Horizon administratorlogs in to the Horizon Administrator user interface for a Connection Server instance in East Pod 1,selects Catalog > Global Entitlements, double-clicks the global desktop entitlement, clicks Add on theLocal Pools tab, selects the desktop pools to add, and clicks Add.

3 To add the desktop pools in Central Pod 1 to the global desktop entitlement, the Horizon administratorlogs in to the Horizon Administrator user interface for a Connection Server instance in Central Pod 1,selects Catalog > Global Entitlements, double-clicks the global desktop entitlement, clicks Add on theLocal Pools tab, selects the desktop pools to add, and clicks Add.

4 To add the desktop pools in Central Pod 2 to the global desktop entitlement, the Horizon administratorlogs in to the Horizon Administrator user interface for a Connection Server instance in Central Pod 2,selects Catalog > Global Entitlements, double-clicks the global desktop entitlement, clicks Add on theLocal Pools tab, selects the desktop pools to add, and clicks Add.

Creating a URL for the Example ConfigurationThe insurance company uses a single URL and employs a DNS service to resolve sales.example to thenearest pod in the nearest data center. With this arrangement, sales agents do not need to rememberdifferent URLs for each pod and are always directed to the nearest data center, regardless of where they arelocated.

When a sales agent connects to the URL in Horizon Client, the Agent Sales global entitlement appears on thelist of available desktop pools. When a sales agent selects the global desktop entitlement, the Cloud PodArchitecture feature delivers the nearest available desktop in the pod federation. If all of the desktops in thelocal data center are in use, the Cloud Pod Architecture feature selects a desktop from the other data center.If a sales agent leaves a desktop session logged in, the Cloud Pod Architecture feature returns the salesagent to that desktop, even if the sales agent has since traveled to a different region.


VMware, Inc. 29


30 VMware, Inc.

Managing a Cloud Pod ArchitectureEnvironment 4

You use Horizon Administrator and the lmvutil command to view, modify, and maintain your Cloud PodArchitecture environment. You can also use Horizon Administrator to monitor the health of pods in the podfederation.


n “View a Cloud Pod Architecture Configuration,” on page 31

n “View Pod Federation Health in Horizon Administrator,” on page 32

n “View Desktop and Application Sessions in the Pod Federation,” on page 33

n “Add a Pod to a Site,” on page 33

n “Modifying Global Entitlements,” on page 34

n “Managing Home Site Assignments,” on page 37

n “Remove a Pod From the Pod Federation,” on page 39

n “Uninitialize the Cloud Pod Architecture Feature,” on page 39

View a Cloud Pod Architecture ConfigurationYou can use Horizon Administrator or the lmvutil command to view information about global entitlements,pods, sites, and home sites.

This procedure shows how to use Horizon Administrator to view information about global entitlements,pods, sites, and home sites. To use the lmvutil command to view this information, see Chapter 5, “lmvutilCommand Reference,” on page 41.

This procedure also shows how to use the lmvutil command to list the tags associated with a globalentitlement. Horizon Administrator does not show the tags associated with a global entitlement.

Procedure

n To list all of the global entitlements in your configuration, in Horizon Administrator, select Catalog >Global Entitlements.

You can use the Horizon Administrator user interface for any Connection Server instance in the podfederation.

n To list the desktop or application pools in a global entitlement, in Horizon Administrator, select Catalog> Global Entitlements, double-click the global entitlement name, and click the Local Pools tab.

Only the pools in the local pod appear on the Local Pools tab. If a global entitlement includes desktopor application pools in a remote pod, you must log in to the Horizon Administrator user interface for aConnection Server instance in the remote pod to see those pools.

VMware, Inc. 31

n To list the users or groups associated with a global entitlement, in Horizon Administrator, selectCatalog > Global Entitlements, double-click the global entitlement, and click the Users and Groupstab.


n To see the global entitlements that are assigned to a specific user, use the Horizon Help Desk Tool. TheHorizon Help Desk Tool is a Web application that you can use to get the status of Horizon 7 usersessions and to perform troubleshooting and maintenance operations.

For more information, see the View Administration document.

n To list the pods in the pod federation, in Horizon Administrator, select View Configuration > CloudPod Architecture.


n To list the sites in the pod federation, in Horizon Administrator, select View Configuration > Sites.


n To list the home sites for a user by global entitlement, perform these steps in Horizon Administrator.

a Select Users and Groups, click the Home Site tab, and select Resolution.

b Click inside the Click here to find the user text box.

c Select one or more search criteria and click Find to filter the Active Directory users based on yoursearch criteria.

d Select the Active Directory user and click OK.

e Click Look Up to display the home sites for the user.

The global entitlement name appears in the Entitlement column and the effective home site for theglobal entitlement appears in the Home Site Resolution column. The origin of a home site assignmentappears in parentheses after the home site name. If a user has multiple home sites, a folder icon appearsnext to the global entitlement name. You can expand this folder to list the home site assignments thatare not in effect for the global entitlement.

n To list the tags that are associated with a global entitlement, select Catalog > Global Entitlements,double-click the global entitlement, and click the Summary tab.

The tags that are associated with the global entitlement appear in the Connection Server restrictionsfield.

View Pod Federation Health in Horizon AdministratorHorizon constantly monitors the health of the pod federation by checking the health of each pod andConnection Server instances in those pods. You can view the health of a pod federation in HorizonAdministrator.

You can also view the health of a pod federation from the command line by using the vdmadmin commandwith the -H option. For information about vdmadmin syntax, see the View Administration document.

Important Horizon event databases are not shared across pods in a pod federation.

Procedure



32 VMware, Inc.

2 In Horizon Administrator, select Inventory > Dashboard.

The Remote Pods section in the System Health pane lists all pods, their member Connection Serverinstances, and the known health status for each Connection Server instance.

A green health icon indicates that the Connection Server instance is online and available for the Cloud PodArchitecture feature. A red health icon indicates that the Connection Server instance is offline or the CloudPod Architecture feature cannot connect to the Connection Server instance to confirm its availability.

View Desktop and Application Sessions in the Pod FederationYou can use Horizon Administrator to search for and view desktop and application sessions across the podfederation.

You can search for desktop and application sessions by user, pod, or brokering pod. The user is the end userwho is connected to the desktop or application, the pod is the pod on which the desktop or application ishosted, and the brokering pod is the pod to which the user was connected when the desktop or applicationwas first allocated.

Procedure


2 In Horizon Administrator, select Inventory > Search Sessions.

3 Select search criteria and begin the search.

Option Action

Search by user a Select User from the drop-down menu.b Click in the text box.c Select search criteria in the Find User dialog box and click OK.d Click Search to begin the search.

Search by pod a Select Pod from the drop-down menu and select a pod from the list ofpods that appears.

b Click Search to begin the search.

Search by brokering pod a Select Brokering Pod from the drop-down menu and select a pod fromthe list of pods that appears.

b Click Search to begin the search.

The search results include the user, type of session (desktop or application), machine, pool or farm, pod,brokering pod ID, site, and global entitlements associated with each session. The session start time,duration, and state also appear in the search results.

Note The brokering pod ID is not immediately populated for new sessions in the search results. This IDusually appears in Horizon Administrator between two and three minutes after a session begins.

Add a Pod to a SiteYou can use Horizon Administrator to add a pod to an existing site.

Procedure


2 In Horizon Administrator, select View Configuration > Sites.

Chapter 4 Managing a Cloud Pod Architecture Environment

VMware, Inc. 33

3 Select the site that currently contains the pod to add to the site.

The names of the pods in the site appear in the lower pane.

4 Select the pod to add to the site and click Edit.

5 Select the site from the Site drop-down menu and click OK.

Modifying Global EntitlementsYou can add and remove pools, users, and groups from global entitlements. You can also delete globalentitlements and modify global entitlement attributes and policies.

For information about adding a pool to a global entitlement, see “Add a Pool to a Global Entitlement,” onpage 22.

Remove a Pool from a Global EntitlementYou can use Horizon Administrator to remove a pool from a global entitlement.

Procedure

1 Log in to the Horizon Administrator user interface for any Connection Server instance in the pod thatcontains the pool to remove.


3 On the Local Pools tab, select the pool to remove from the global entitlement and click Delete.

Add a User or Group to a Global EntitlementYou can use Horizon Administrator to add a user or group to an existing global entitlement.

Procedure


2 In Horizon Administrator, select Catalog > Global Entitlements and double-click the globalentitlement.

3 On the Users and Groups tab, click Add.

4 Click Add, select one or more search criteria, and click Find to filter Active Directory users or groupsbased on your search criteria.

You can select the Unauthenticated Users check box to find and add unauthenticated access users toglobal application entitlements. You cannot add unauthenticated access users to global desktopentitlements. If you attempt to add an unauthenticated access user to a global desktop entitlement,Horizon Administrator returns an error message.

5 Select the Active Directory user or group to add to the global entitlement and click OK.

You can press the Ctrl and Shift keys to select multiple users and groups.

Remove a User or Group From a Global EntitlementYou can use Horizon Administrator to remove a user or group from a global entitlement.

Procedure



34 VMware, Inc.

2 In Horizon Administrator, select Catalog > Global Entitlements and double-click the globalentitlement.

3 On the Users and Groups tab, select the user or group to delete and click Delete.

You can press Ctrl or Shift to select multiple users and groups.

4 Click OK in the confirmation dialog box.

Modify Attributes or Policies for a Global EntitlementYou can use Horizon Administrator to modify the name, description, attributes, tags, scope, and otherpolicies of a global entitlement.

You cannot modify the type of desktop pool that a global desktop entitlement can contain.

Procedure



3 Select the global entitlement and click Edit.

4 To modify the name or description of the global entitlement, type a new name or description in theName or Description text box in the General pane.

The name can contain between 1 and 64 characters. The description can contain between 1 and 1024characters.

5 To remove or modify the tags that are associated with the global entitlement, click Browse.

You can select No restrictions to remove all of the existing tags, or you can select Restricted to thesetags to associate the global entitlement with different tags. Only the Connection Server instances thathave the selected tags can access the global entitlement.

Note You can only select tags assigned to Connection Server instances in the local pod. To select tagsassigned to Connection Server instances in another pod, you must log in to Horizon Administrator for aConnection Server instance in the other pod and modify the global entitlement again.

6 To modify a global entitlement policy, select or deselect the policy in the Policy pane.

Policy Description

Scope Specifies where to look for desktops or applications that satisfy a desktopor application request from the global entitlement. You can select only onescope policy.n All sites - look for desktops or applications on any pod in the pod

federation.n Within site - look for desktops or applications only on pods in the

same site as the pod to which the user is connected.n Within pod - look for desktops or applications only in the pod to

which the user is connected.

Use home site Determines whether to begin searching for desktops or applications in theuser's home site. If the user does not have a home site and the Entitleduser must have home site option is not selected, the site to which the useris currently connected is assumed to be the home site.

Entitled user must have home site Makes the global entitlement available only if the user has a home site.This option is available only when the Use home site option is selected.


VMware, Inc. 35

Policy Description

Automatically clean up redundantsessions

Logs off extra user sessions for the same entitlement.. This option isavailable only for floating desktop entitlements and applicationentitlements.Multiple sessions can occur when a pod that contains a session goesoffline, the user logs in again and starts another session, and the problempod comes back online with the original session. When multiple sessionsoccur, Horizon Client prompts the user to select a session. This optiondetermines what happens to sessions that the user does not select. If youdo not select this option, users must manually end their own extrasessions, either by logging off in Horizon Client or by launching thesessions and logging them off.

Default display protocol Specifies the default display protocol for desktops or applications in theglobal entitlement.

HTML Access Determines whether to allow users to use the HTML Access feature toaccess desktops or applications in the global entitlement. When you enablethe HTML Access policy, end users can use a Web browser to connect toremote desktops and are not required to install any client software on theirlocal systems.

Allow user to initiate separatesessions from different clientdevices

Determines whether to allow users to initiate separate desktop sessionsfrom different client devices. When you enable the multiple sessions peruser policy, users that connect to the global entitlement from differentclient devices receive different desktop sessions. To reconnect to anexisting desktop session, users must use the same device from which thatsession was initiated. If you do not enable this policy, users are alwaysreconnected to their existing desktop sessions, regardless of the clientdevice that they use. You can enable this policy only for floating desktopentitlements.Note If you enable this policy, all the desktop pools in the globalentitlement must also support multiple sessions per user.

Pre-launch Determines whether to launch the application session before a user opensthe global application entitlement in Horizon Client. When you enable thepre-launch policy, users can launch the global application entitlement morequickly.Note If you enable this policy, all the application pools in the globalapplication entitlement must also support the session pre-launch feature,and the pre-launch session timeout must be the same for all farms.

7 To modify the application path, version, and publisher information for a global application entitlement,

type values in the application text boxes.

Note If you add an application pool to the global application entitlement after you modify thesevalues, the values are overwritten with values from the application pool.


Delete a Global EntitlementYou can use Horizon Administrator to permanently delete a global entitlement. When you delete a globalentitlement, all of the users who are dependent on that global entitlement for desktops cannot access theirdesktops. Existing desktop sessions remain connected.

Procedure



3 Click the global entitlement to delete and click Delete.


36 VMware, Inc.

4 Click OK in the confirmation dialog box.

Managing Home Site AssignmentsYou can modify and delete home site assignments. You can also display the effective home site for eachglobal entitlement to which a user belongs.

Modify a Home Site AssignmentYou can change an existing home site assignment for a specific user or group.

To modify the association between a global entitlement and a home site for a specific user or group, see “Modify a Home Site Override,” on page 38.

Procedure


2 In Horizon Administrator, select Users and Groups, click the Home Site tab, and select Assignment.

3 Select the home site assignment to modify and click Edit.

4 Select a different home site from the Home Site drop-down menu.

5 Click OK to save the new home site assignment.

Remove a Home Site AssignmentYou can remove the association between a user or group and a home site.

To remove the association between a home site and a global entitlement for a specific user or group, see “Remove a Home Site Override,” on page 38.

Procedure


2 In Horizon Administrator, select Users and Groups, click the Home Site tab, and select Assignment.

3 Select the home site assignment to remove and click Delete.

4 Click OK to remove the home site assignment.

Determine the Effective Home Site for a UserBecause you can assign home sites to both users and groups, a single user can have multiple home sites. Inaddition, home sites associated with global entitlements can override a user's own home site. You can useHorizon Administrator to determine a user's effective home site.

Procedure


2 In Horizon Administrator, select Users and Groups, click the Home Site tab, and select Resolution.

3 Click inside the Click here to find the user text box.

4 Select one or more search criteria and click Find to filter the Active Directory users based on yoursearch criteria.

5 Select the Active Directory user whose effective home site you want to display and click OK.


VMware, Inc. 37

6 Click Look Up.

Horizon Administrator displays the effective home site for each global entitlement to which the userbelongs. Only global entitlements that have the Use home site policy enabled are displayed.

The home site that is in effect appears in the Home Site Resolution column. If a user has multiple home sites,a folder icon appears next to the global entitlement name in the Entitlement column. You can expand thisfolder to list the home site assignments that are not in effect for the global entitlement. HorizonAdministrator uses strikethrough text to indicate a home site is not in effect.

Horizon Administrator displays the origin of a home site assignment in parentheses after the home sitename in the Home Site Resolution column. If the home site originated from a group in which the userbelongs, Horizon Administrator displays the name of the group, for example, (via Domain Users). If thehome site originated from the user's own home site assignment, Horizon Administrator displays (Default).If the home site originated from the global entitlement (a home site override), Horizon Administratordisplays (Direct).

If a user does not have a home site, Horizon Administrator displays No home site defined in the Home SiteResolution column.

Modify a Home Site OverrideYou can change the association between a global entitlement and a home for site for a specific user or group.

Procedure




4 On the Home Site Override tab, select the user or group and click Edit.

5 Select a different home site from the Home Site drop-down menu.


Remove a Home Site OverrideYou can remove the association between a global entitlement and a home site for a specific user or group.

Procedure




4 On the Home Site Overrides tab, select the user or group and click Remove.

5 Click OK to remove the home site override.


38 VMware, Inc.

Remove a Pod From the Pod FederationYou can use Horizon Administrator to remove a pod that was previously joined to the pod federation. Youmight want to remove a pod from the pod federation if it is being recommissioned for another purpose or ifit was wrongly configured.

To remove the last pod in the pod federation, you uninitialize the Cloud Pod Architecture feature. See “Uninitialize the Cloud Pod Architecture Feature,” on page 39.

Important Do not stop or start a Connection Server instance while it is being removed from a podfederation. The Connection Server service might not restart correctly.

Procedure

1 Log in to the Horizon Administrator user interface for any Connection Server instance in the pod thatyou want to remove from the pod federation.

2 In Horizon Administrator, select Cloud Pod Architecture and click Unjoin in the Pod Federation pane.

3 Click OK to begin the unjoin operation.

Horizon Administrator shows the progress of the unjoin operation.


After the Horizon Administrator user interface is refreshed, Global Entitlements no longer appearsunder Catalog and Sites no longer appears under View Configuration in the Horizon AdministratorInventory panel.

Uninitialize the Cloud Pod Architecture FeatureYou can use Horizon Administrator to uninitialize the Cloud Pod Architecture feature.

Prerequisites

You need to uninitialize the Cloud Pod Architecture feature on only one pod in the pod federation. If thepod federation contains multiple pods, you must unjoin the other pods before you begin the uninitializationprocess. See “Remove a Pod From the Pod Federation,” on page 39.

Procedure

1 Log in to the Horizon Administrator user interface for any Connection Server instance in the pod.

2 In Horizon Administrator, select View Configuration > Cloud Pod Architecture.

3 In the Pod Federation pane, click Uninitialize.

4 Click OK to begin the uninitialization process.

After the uninitialization process is finished, your entire Cloud Pod Architecture configuration,including sites, home sites, and global entitlements, is deleted.


After the Horizon Administrator user interface is refreshed, Global Entitlements no longer appearsunder Catalog and Sites no longer appears under View Configuration in the Horizon AdministratorInventory panel.


VMware, Inc. 39


40 VMware, Inc.

lmvutil Command Reference 5You use the lmvutil command-line interface to configure and manage a Cloud Pod Architectureimplementation.

Note You can use the vdmutil command-line interface to perform the same operations as lmvutil.


n “lmvutil Command Use,” on page 41

n “Initializing the Cloud Pod Architecture Feature,” on page 44

n “Disabling the Cloud Pod Architecture Feature,” on page 45

n “Managing Pod Federations,” on page 45

n “Managing Sites,” on page 47

n “Managing Global Entitlements,” on page 50

n “Managing Home Sites,” on page 58

n “Viewing a Cloud Pod Architecture Configuration,” on page 60

n “Managing SSL Certificates,” on page 65

lmvutil Command UseThe syntax of the lmvutil command controls its operation.

Use the following form of the lmvutil command from a Windows command prompt.

lmvutil command_option [additional_option argument] ...

Alternatively, you can use the vdmutil command to perform the same operations as the lmvutil command.Use the following form of the vdmutil command from a Windows command prompt.

vdmutil command_option [additional_option argument] ...

The additional options that you can use depend on the command option.

By default, the path to the lmvutil and vdmutil command executable files is C:\ProgramFiles\VMware\VMware View\Server\tools\bin. To avoid entering the path on the command line, add thepath to your PATH environment variable.

VMware, Inc. 41

lmvutil Command AuthenticationTo use the lmvutil command to configure and manage a Cloud Pod Architecture environment, you mustrun the command as a user who has the Administrators role.

You can use Horizon Administrator to assign the Administrators role to a user. See the View Administrationdocument.

The lmvutil command includes options to specify the user name, domain, and password to use forauthentication.

Table 5‑1. lmvutil Command Authentication Options

Option Description

--authAs Name of a Horizon administrator user. Do not use domain\username or user principalname (UPN) format.

--authDomain Fully qualified domain name for the Horizon administrator user specified in the--authAs option.

--authPassword Password for the Horizon administrator user specified in the --authAs option.Entering "*" instead of a password causes the lmvutil command to prompt for thepassword and does not leave sensitive passwords in the command history on thecommand line.

For example, the following lmvutil command logs in the user domainEast\adminEast and initializes theCloud Pod Architecture feature.

lmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --initialize

You must use the authentication options with all lmvutil command options except for --help and--verbose.

lmvutil Command OutputThe lmvutil command returns 0 when an operation succeeds and a failure-specific non-zero code when anoperation fails.

The lmvutil command writes error messages to standard error. When an operation produces output, orwhen verbose logging is enabled by using the --verbose option, the lmvutil command writes output tostandard output.

The lmvutil command produces only US English output.

lmvutil Command OptionsYou use the command options of the lmvutil command to specify the operation to perform. All options arepreceded by two hyphens (--).

For lmvutil command authentication options, see “lmvutil Command Authentication,” on page 42.

Table 5‑2. lmvutil Command Options

Option Description

--activatePendingCertificate Activates a pending SSL certificate. See “Activating aPending Certificate,” on page 65.

--addGroupEntitlement Associates a user group with a global entitlement. See “Adding a User or Group to a Global Entitlement,” onpage 57.


42 VMware, Inc.

Table 5‑2. lmvutil Command Options (Continued)

Option Description

--addPoolAssociation Associates a desktop pool with a global desktopentitlement or an application pool with a global applicationentitlement. See “Adding a Pool to a Global Entitlement,”on page 55.

--addUserEntitlement Associates a user with a global entitlement. See “Adding aUser or Group to a Global Entitlement,” on page 57

--assignPodToSite Assigns a pod to a site. See “Assigning a Pod to a Site,” onpage 48.

--createGlobalApplicationEntitlement Creates a global application entitlement. See “Creating aGlobal Entitlement,” on page 50.

--createGlobalEntitlement Creates a global desktop entitlement. See “Creating aGlobal Entitlement,” on page 50.

--createSite Creates a site. See “Creating a Site,” on page 48.

--createGroupHomeSite Associates a user group with a home site. See “Configuringa Home Site,” on page 59.

--createPendingCertificate Creates a pending SSL certificate. See “Creating a PendingCertificate,” on page 65.

--createUserHomeSite Associates a user with a home site. See “Configuring aHome Site,” on page 59.

--deleteGlobalApplicationEntitlement Deletes a global application entitlement. See “Deleting aGlobal Entitlement,” on page 55.

--deleteGlobalEntitlement Deletes a global deskop entitlement. See “Deleting a GlobalEntitlement,” on page 55.

--deleteSite Deletes a site. See “Deleting a Site,” on page 49.

--deleteGroupHomeSite Removes the association between a user group and a homesite. See “Deleting a Home Site,” on page 60.

--deleteUserHomeSite Removes the association between a user and a home site.See “Deleting a Home Site,” on page 60.

--editSite Modifies the name or description of a site. See “Changing aSite Name or Description,” on page 49.

--ejectPod Removes an unavailable pod from a pod federation. See “Removing a Pod From a Pod Federation,” on page 46.

--help Lists the lmvutil command options.

--initialize Initializes the Cloud Pod Architecture feature. See “Initializing the Cloud Pod Architecture Feature,” onpage 44.

--join Joins a pod to a pod federation. See “Joining a Pod to thePod Federation,” on page 46.

--listAssociatedPools Lists the desktop pools that are associated with a globaldesktop entitlement or the application pools that areassociated with a global application entitlement. See “Listing the Pools in a Global Entitlement,” on page 61.

--listEntitlements Lists associations between users or user groups and globalentitlements. “Listing the Users or Groups in a GlobalEntitlement,” on page 62.

--listGlobalApplicationEntitlements Lists all global application entitlements. See “Listing GlobalEntitlements,” on page 61.

--listGlobalEntitlements Lists all global desktop entitlements. See “Listing GlobalEntitlements,” on page 61.

Chapter 5 lmvutil Command Reference

VMware, Inc. 43

Table 5‑2. lmvutil Command Options (Continued)

Option Description

--listPods Lists the pods in a Cloud Pod Architecture topology. See “Listing the Pods or Sites in a Cloud Pod ArchitectureTopology,” on page 64.

--listSites Lists the sites in a Cloud Pod Architecture topology. See “Listing the Pods or Sites in a Cloud Pod ArchitectureTopology,” on page 64.

--listUserAssignments Lists the dedicated desktop pod assignments for a user andglobal entitlement combination. See “Listing DedicatedDesktop Pool Assignments,” on page 64.

--removePoolAssociation Removes the association between a desktop pool and aglobal entitlement. See “Removing a Pool from a GlobalEntitlement,” on page 56.

--resolveUserHomeSite Shows the effective home site for a user. See “Listing theEffective Home Site for a User,” on page 63.

--removeGroupEntitlement Removes a user group from a global entitlement. See “Removing a User or Group From a Global Entitlement,”on page 58.

--removeUserEntitlement Removes a user from a global entitlement. See “Removinga User or Group From a Global Entitlement,” on page 58.

--showGroupHomeSites Shows all of the home sites for a group. See “Listing theHome Sites for a User or Group,” on page 62.

--showUserHomeSites Shows all of the home sites for a user. See “Listing theHome Sites for a User or Group,” on page 62.

--uninitialize Disables the Cloud Pod Architecture feature. See “Disabling the Cloud Pod Architecture Feature,” onpage 45.

--unjoin Removes an available pod from a pod federation. See “Removing a Pod From a Pod Federation,” on page 46.

--updateGlobalApplicationEntitlement Modifes a global application entitlement. See “Modifying aGlobal Entitlement,” on page 53.

--updateGlobalEntitlement Modifies a global desktop entitlement. See “Modifying aGlobal Entitlement,” on page 53.

--updatePod Modifies the name or description of a pod. See “Changinga Pod Name or Description,” on page 47.

--verbose Enables verbose logging. You can add this option to anyother option to obtain detailed command output. Thelmvutil command writes to standard output.

Initializing the Cloud Pod Architecture FeatureUse the lmvutil command with the --initialize option to initialize the Cloud Pod Architecture feature.When you initialize the Cloud Pod Architecture feature, Horizon sets up the Global Data Layer on eachConnection Server instance in the pod and configures the VIPA communication channel.

Syntaxlmvutil --initialize


44 VMware, Inc.

Usage NotesRun this command only once, on one Connection Server instance in the pod. You can run the command onany Connection Server instance in the pod. You do not need to run this command for additional pods. Allother pods join the initialized pod.

This command returns an error message if the Cloud Pod Architecture feature is already initialized or if thecommand cannot complete the operation.

Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --initialize

Disabling the Cloud Pod Architecture FeatureUse the lmvutil command with the --uninitialize option to disable the Cloud Pod Architecture feature.

Syntaxlmvutil --uninitialize

Usage NotesBefore you run this command, use the lmvutil command with the --unjoin option to remove any otherpods in the pod federation.

Run this command on only one Connection Server instance in a pod. You can run the command on anyConnection Server instance in the pod. If your pod federation contains multiple pods, you need to run thiscommand for only one pod.

This command returns an error message if the Cloud Pod Architecture feature is not initialized, if thecommand cannot find the pod, or if the pod federation contains other pods.

Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --uninitialize

Managing Pod FederationsThe lmvutil command provides options to configure and modify pod federations.

n Joining a Pod to the Pod Federation on page 46

Use the lmvutil command with the --join option to join a pod to the pod federation.

n Removing a Pod From a Pod Federation on page 46

Use the lmvutil command with the --unjoin or --ejectPod option to remove a pod from a podfederation.

n Changing a Pod Name or Description on page 47

Use the lmvutil command with the --updatePod option to update or modify the name or descriptionof a pod.


VMware, Inc. 45

Joining a Pod to the Pod FederationUse the lmvutil command with the --join option to join a pod to the pod federation.

Syntaxlmvutil --join joinServer serveraddress --userName domain\username --password password

Usage NotesYou must run this command on each pod that you want to join to the pod federation. You can run thecommand on any Connection Server instance in a pod.

This command returns an error message if you provide invalid credentials, the specified Connection Serverinstance does not exist, a pod federation does not exist on the specified server, or the command cannotcomplete the operation.

OptionsYou must specify several options when you join a pod to a pod federation.

Table 5‑3. Options for Joining a Pod to a Pod Federation

Option Description

--joinServer DNS name or IP address of any Connection Server instance in any pod that has beeninitialized or is already part of the pod federation.

--userName Name of a Horizon administrator user on the already initialized pod. Use the formatdomain\username.

--password Password of the user specified in the --userName option.

Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --join

--joinServer 123.456.789.1 --userName domainCentral\adminCentral --password secret123

Removing a Pod From a Pod FederationUse the lmvutil command with the --unjoin or --ejectPod option to remove a pod from a podfederation.

Syntaxlmvutil --unjoin

lmvutil --ejectPod --pod pod

Usage NotesTo remove a pod from a pod federation, use the --unjoin option. You can run the command on anyConnection Server instance in the pod.

To remove a pod that is not available from a pod federation, use the --ejectPod option. For example, a podmight become unavailable if a hardware failure occurs. You can perform this operation on any pod in thepod federation.

Important In most circumstances, you should use the --unjoin option to remove a pod from a podfederation.


46 VMware, Inc.

These commands return an error message if the Cloud Pod Architecture feature is not initialized, the pod isnot joined to a pod federation, or if the commands cannot perform specified operations.

OptionsWhen you use the --ejectPod option, you use the --pod option to identify the pod to remove from the podfederation.

Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --unjoin

lmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --ejectPod

--pod "East Pod 1"

Changing a Pod Name or DescriptionUse the lmvutil command with the --updatePod option to update or modify the name or description of apod.

Syntaxlmvutil --updatePod --podName podname [--newPodName podname] [--description text]

Usage NotesThis command returns an error message if the Cloud Pod Architecture feature is not initialized or if thecommand cannot find or update the pod.

OptionsYou can specify these options when you update a pod name or description.

Table 5‑4. Options for Changing a Pod Name or Description

Option Description

--podName Name of the pod to update.

--newPodName (Optional) New name for the pod. A pod name can contain between 1 and 64characters.

--description (Optional) Description of the site. The description can contain between 1 and 1024characters.

Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*"

--updatePod --podName "East Pod 1" --newPodName "East Pod 2"

Managing SitesYou can use lmvutil command options to create, modify, and delete Cloud Pod Architecture sites. A site is agrouping of pods.

n Creating a Site on page 48

Use the lmvutil command with the --createSite option to create a site in a Cloud Pod Architecturetopology.

n Assigning a Pod to a Site on page 48

Use the lmvutil command with the --assignPodToSite option to assign a pod to a site.


VMware, Inc. 47

n Changing a Site Name or Description on page 49

Use the lmvutil command with the --editSite option to edit the name or description of a site.

n Deleting a Site on page 49

Use the lmvutil command with the --deleteSite option to delete a site.

Creating a SiteUse the lmvutil command with the --createSite option to create a site in a Cloud Pod Architecturetopology.

Syntaxlmvutil --createSite --siteName sitename [--description text]

Usage NotesThis command returns an error message if the Cloud Pod Architecture feature is not initialized, the specifiedsite already exists, or the command cannot create the site.

OptionsYou can specify these options when you create a site.

Table 5‑5. Options for Creating a Site

Option Description

--siteName Name of the new site. The site name can contain between 1 and 64 characters.


Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --createSite

--siteName "Eastern Region"

Assigning a Pod to a SiteUse the lmvutil command with the --assignPodToSite option to assign a pod to a site.

Syntaxlmvutil --assignPodToSite --podName podname --siteName sitename

Usage NotesBefore you can assign a pod to a site, you must create the site. See “Creating a Site,” on page 48.

This command returns an error message if the Cloud Pod Architecture feature is not initialized, thecommand cannot find the specified pod or site, or if the command cannot assign the pod to the site.

OptionsYou must specify these options when you assign a pod to a site.


48 VMware, Inc.

Table 5‑6. Options for Assigning a Pod to a Site

Option Description

--podName Name of the pod to assign to the site.

--siteName Name of the site.

You can use the lmvutil command with the --listPods option to list the names of the pods in a Cloud PodArchitecture topology. See “Listing the Pods or Sites in a Cloud Pod Architecture Topology,” on page 64.


--assignPodToSite --podName "East Pod 1" --siteName "Eastern Region"

Changing a Site Name or DescriptionUse the lmvutil command with the --editSite option to edit the name or description of a site.

Syntaxlmvutil --editSite --siteName sitename [--newSiteName sitename] [--description text]

Usage NotesThis command returns an error message if the specified site does not exist or if the command cannot find orupdate the site.

OptionsYou can specify these options when you change a site name or description.

Table 5‑7. Options for Changing a Site Name or Description

Option Description

--siteName Name of the site to edit.

--newSiteName (Optional) New name for the site. The site name can contain between 1 and 64characters.


Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --editSite

--siteName "Eastern Region" --newSiteName "Western Region"

Deleting a SiteUse the lmvutil command with the --deleteSite option to delete a site.

Syntaxlmvutil --deleteSite --sitename sitename

Usage NotesThis command returns an error message if the specified site does not exist or if the command cannot find ordelete the site.


VMware, Inc. 49

OptionsYou use the --sitename option to specify the name of the site to delete.


--deleteSite --sitename "Eastern Region"

Managing Global EntitlementsYou can use lmvutil command options to create, modify, and list global desktop entitlements and globalapplication entitlements in a Cloud Pod Architecture environment.

n Creating a Global Entitlement on page 50To create a global desktop entitlement, use the lmvutil command with the--createGlobalEntitlement option. To create a global application entitlement, use the lmvutilcommand with the --createGlobalApplicationEntitlement option.

n Modifying a Global Entitlement on page 53To modify a global desktop entitlement, use the lmvutil command with the--updateGlobalEntitlement option. To modify a global application entitlement, use the lmvutilcommand with the --updateGlobalApplicationEntitlement option.

n Deleting a Global Entitlement on page 55To delete a global desktop entitlement, use the lmvutil command with the--deleteGlobalEntitlement option. To delete a global application entitlement, use the lmvutilcommand with the --deleteGlobalApplicationEntitlement option.

n Adding a Pool to a Global Entitlement on page 55

Use the lmvutil command with the --addPoolAssociation option to add a desktop pool to a globaldesktop entitlement or an application pool to a global application entitlement.

n Removing a Pool from a Global Entitlement on page 56

Use the lmvutil command with the --removePoolAssociation option to remove a desktop poolfrom a global desktop entitlement or an application pool from a global application entitlement.

n Adding a User or Group to a Global Entitlement on page 57

To add a user to a global entitlement, use the lmvutil command with the --addUserEntitlementoption. To add a group to a global entitlement, use the lmvutil command with the--addGroupEntitlement option.

n Removing a User or Group From a Global Entitlement on page 58To remove a user from a global entitlement, use the lmvutil command with the--removeUserEntitlement option. To remove a group from a global entitlement, use the lmvutilcommand with the --removeGroupEntitlement option.

Creating a Global EntitlementTo create a global desktop entitlement, use the lmvutil command with the --createGlobalEntitlementoption. To create a global application entitlement, use the lmvutil command with the--createGlobalApplicationEntitlement option.

Global entitlements provide the link between users and their desktops and applications, regardless of wherethose desktops and applications reside in the pod federation. Global entitlements also include policies thatdetermine how the Cloud Pod Architecture feature allocates desktops and applications to entitled users.


50 VMware, Inc.

Syntaxlmvutil --createGlobalEntitlement --entitlementName name --scope scope

{--isDedicated | --isFloating} [--description text] [--disabled]

[--fromHome] [--multipleSessionAutoClean] [--requireHomeSite] [--defaultProtocol value]

[--preventProtocolOverride] [--allowReset] [--htmlAccess] [--multipleSessionsPerUser]

[--tags tags]

lmvutil --createGlobalApplicationEntitlement --entitlementName name --scope scope

[--description text] [--disabled] [--fromHome] [--multipleSessionAutoClean]

[--requireHomeSite] [--defaultProtocol value] [--preventProtocolOverride] [--htmlAccess]

[--preLaunch] [--tags tags]

Usage NotesYou can use these commands on any Connection Server instance in a pod federation. The Cloud PodArchitecture feature stores new data in the Global Data Layer and replicates that data in all pods in the podfederation.

These commands return an error message if the global entitlement already exists, the scope is invalid, theCloud Pod Architecture feature is not initialized, or the commands cannot create the global entitlement.

OptionsYou can specify these options when you create a global entitlement. Some options apply only to globaldesktop entitlements.

Table 5‑8. Options for Creating Global Entitlements

Option Description

--entitlementName Name of the global entitlement. The name can contain between 1 and 64characters. The global entitlement name appears in the desktops andapplications list in Horizon Client for entitled users.

--scope Scope of the global entitlement. Valid values are as follows:n ANY. Horizon looks for resources on any pod in the pod federation.n SITE. Horizon looks for resources only on pods in the same site as the

pod to which the user is connected.n LOCAL. Horizon looks for resources only in the pod to which the

user is connected.

--isDedicated Creates a dedicated desktop entitlement. A dedicated desktop entitlementcan contain only dedicated desktop pools. To create a floating desktopentitlement, use the --isFloating option. A global desktop entitlementcan be either dedicated or floating. You cannot specify the--isDedicated option with the --multipleSessionAutoClean option.Applies only to global desktop entitlements.

--isFloating Creates a floating desktop entitlement. A floating desktop entitlement cancontain only floating desktop pools. To create a dedicated desktopentitlement, specify the --isDedicated option. A global desktopentitlement can be either floating or dedicated.Applies only to global desktop entitlements.

--disabled (Optional) Creates the global entitlement in the disabled state.

--description (Optional) Description of the global entitlement. The description cancontain between 1 and 1024 characters.

--fromHome (Optional) If the user has a home site, causes Horizon to begin searchingfor resources on the user's home site. If the user does not have a homesite, Horizon begins searching for resources on the site to which the useris currently connected.


VMware, Inc. 51

Table 5‑8. Options for Creating Global Entitlements (Continued)

Option Description

--multipleSessionAutoClean (Optional) Logs off extra user sessions for the same entitlement. Multiplesessions can occur when a pod that contains a session goes offline, theuser logs in again and starts another session, and the problem pod comesback online with the original session.When multiple sessions occur, Horizon Client prompts the user to select asession. This option determines what happens to sessions that the userdoes not select.If you do not specify this option, users must manually end their ownextra sessions, either by logging off in Horizon Client or by launching thesessions and logging them off.

--requireHomeSite (Optional) Causes the global entitlement to be available only if the userhas a home site. This option is applicable only when the --fromHomeoption is also specified.

--defaultProtocol (Optional) Specifies the default display protocol for desktops orapplications in the global entitlement. Valid values are RDP, PCOIP, andBLAST for global desktop entitlements and PCOIP and BLAST for globalapplication entitlements.

--preventProtocolOverride (Optional) Prevents users from overriding the default display protocol.

--allowReset (Optional) Allows users to reset desktops. Applies only to global desktopentitlements.

--htmlAccess (Optional) Enables the HTML Access policy, which allows users to use theHTML Access feature to access resources in the global entitlement. WithHTML Access, end users can use a Web browser to access remoteresources and are not required to install any client software on their localsystems.

--multipleSessionsPerUser (Optional) Enables the multiple sessions per user policy, which allowsusers to initiate separate desktop sessions from different client devices.Users that connect to the global desktop entitlement from different clientdevices receive different desktop sessions. To reconnect to an existingdesktop session, users must use the same device from which that sessionwas initiated. If you do not enable this policy, users are alwaysreconnected to their existing desktop sessions, regardless of the clientdevice that they use. Applies only to floating desktop entitlements.

--preLaunch (Optional) Enables the pre-launch policy, which launches the applicationsession before a user opens the global application entitlement inHorizon Client. When you enable the pre-launch policy, users can launchthe global application entitlement more quickly. All the application poolsin the global application entitlement must support the session pre-launchfeature, and the pre-launch session timeout must be the same for allfarms.

--tags (Optional) Specifies one or more tags that restrict access to the globalentitlement from Connection Server instances. To specify multiple tags,type a quoted list of tag names separated by a comma or semicolon. Formore information, see “Restricting Access to Global Entitlements,” onpage 13.

Exampleslmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --createGlobalEntitlement

--entitlementName "Windows 8 Desktop" --scope LOCAL --isDedicated

lmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --

createGlobalApplicationEntitlement --entitlementName "Microsoft Office PowerPoint" --scope LOCAL


52 VMware, Inc.

Modifying a Global EntitlementTo modify a global desktop entitlement, use the lmvutil command with the --updateGlobalEntitlementoption. To modify a global application entitlement, use the lmvutil command with the--updateGlobalApplicationEntitlement option.

Syntaxlmvutil --updateGlobalEntitlement --entitlementName name [--description text]

[--disabled] [--enabled] [--fromHome] [--disableFromHome] [--multipleSessionAutoClean]

[--disableMultipleSessionAutoClean] [--multipleSessionsPerUser] [--

disableMultipleSessionsPerUser]

[--requireHomeSite] [--disableRequireHomeSite] [--defaultProtocol value]

[--scope scope] [--htmlAccess] [--disableHtmlAccess] [--tags tags] [--notags]

lmvutil --updateGlobalApplicationEntitlement --entitlementName name [--description text]

[--disabled] [--enabled] [--fromHome] [--disableFromHome] [--multipleSessionAutoClean]

[--disableMultipleSessionAutoClean] [--requireHomeSite] [--disableRequireHomeSite]

[--defaultProtocol value] [--scope scope] [--htmlAccess] [--disableHtmlAccess]

[--appVersion value] [--appPublisher value] [--appPath value] [--tags tags] [--notags]

[--preLaunch] [--disablePreLaunch]

Usage NotesYou can use these commands on any Connection Server instance in a pod federation. The Cloud PodArchitecture feature stores new data in the Global Data Layer and replicates that data among all pods in thepod federation.

These commands return an error message if the global entitlement does not exist, the scope is invalid, theCloud Pod Architecture feature is not initialized, or the commands cannot update the global entitlement.

OptionsYou can specify these options when you modify a global entitlement. Some options apply only to globaldesktop entitlements or only to global application entitlements.

Table 5‑9. Options for Modifying Global Entitlements

Option Description

--entitlementName Name of the global entitlement to modify.

--scope Scope of the global entitlement. Valid values are as follows:n ANY. Horizon looks for resources on any pod in the pod federation.n SITE. Horizon looks for resources only on pods in the same site as

the pod to which the user is connected.n LOCAL. Horizon looks for resources only in the pod to which the

user is connected.

--description (Optional) Description of the global entitlement. The description cancontain between 1 and 1024 characters.

--disabled (Optional) Disables a previously enabled global entitlement.

--enabled (Optional) Enables a previously disabled global entitlement.

--fromHome (Optional) If the user has a home site, causes Horizon to begin searchingfor resources on the user's home site. If the user does not have a homesite, Horizon begins searching for resources on the site to which the useris currently connected.

--disableFromHome (Optional) Disables the --fromHome function for the global entitlement.


VMware, Inc. 53

Table 5‑9. Options for Modifying Global Entitlements (Continued)

Option Description

--multipleSessionAutoClean (Optional) Logs off extra user sessions for the same entitlement.Multiple sessions can occur when a pod that contains a session goesoffline, the user logs in again and starts another session, and theproblem pod comes back online with the original session.When multiple sessions occur, Horizon Client prompts the user to selecta session. This option determines what happens to sessions that the userdoes not select.If you do not specify this option, users must manually end their ownextra sessions, either by logging off in Horizon Client or by launchingthe sessions and logging them off.

--disableMultipleSessionAutoClean (Optional) Disables the --multipleSessionAutoClean function for theglobal entitlement.

--multipleSessionsPerUser (Optional) Enables the multiple sessions per user policy, which allowsusers to initiate separate desktop sessions from different client devices.Users that connect to the global desktop entitlement from different clientdevices receive different desktop sessions. To reconnect to an existingdesktop session, users must use the same device from which that sessionwas initiated. If you do not enable this policy, users are alwaysreconnected to their existing desktop sessions, regardless of the clientdevice that they use. Applies only to floating desktop entitlements.

--disableMultipleSessionsPerUser (Optional) Disables the multiple sessions per user policy for the globaldesktop entitlement.

--requireHomeSite (Optional) Causes the global entitlement to be available only if the userhas a home site. This option is applicable only when the --fromHomeoption is also specified.

--disableRequireHomeSite (Optional) Disables the --requireHomeSite function for the globalentitlement.

--defaultProtocol (Optional) Specifies the default display protocol for desktops orapplications in the global entitlement. Valid values are RDP, PCOIP, andBLAST for global desktop entitlements and PCOIP and BLAST forglobal application entitlements.

--htmlAccess (Optional) Enables the HTML Access policy, which allows users to usethe HTML Access feature to access resources in the global entitlement.With HTML Access, end users can use a Web browser to access remoteresources and are not required to install any client software on theirlocal systems.

--disableHtmlAccess (Optional) Disables the HTML Access policy for the global entitlement.

--appVersion (Optional) Version of the application.Applies only to global application entitlements.

--appPublisher (Optional) Publisher of the application.Applies only to global application entitlements.

--appPath (Optional) Full pathname of the application, for example, C:\ProgramFiles\app1.exe.Applies only to global application entitlements.

--tags (Optional) Specifies one or more tags that restrict access to the globalentitlement from Connection Server instances. To specify multiple tags,type a quoted list of tag names separated by a comma or semicolon. Formore information, see “Restricting Access to Global Entitlements,” onpage 13.

--notags (Optional) Removes tags from the global entitlement.


54 VMware, Inc.

Table 5‑9. Options for Modifying Global Entitlements (Continued)

Option Description

--preLaunch (Optional) Enables the pre-launch policy, which launches the applicationsession before a user opens the global application entitlement inHorizon Client. When you enable the pre-launch policy, users canlaunch the global application entitlement more quickly. All theapplication pools in the global application entitlement must support thesession pre-launch feature, and the pre-launch session timeout must bethe same for all farms.

--disablePreLaunch (Optional) Disables the pre-launch policy for the global applicationentitlement.

Exampleslmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --updateGlobalEntitlement

--entitlementName "Windows 8 Desktop" --scope ANY --isDedicated

lmvutil --authAs adminEast --authDomain domainEast --authPassword "*"

--updateGlobalApplicationEntitlement --entitlementName "Microsoft Office PowerPoint" --scope ANY

Deleting a Global EntitlementTo delete a global desktop entitlement, use the lmvutil command with the --deleteGlobalEntitlementoption. To delete a global application entitlement, use the lmvutil command with the--deleteGlobalApplicationEntitlement option.

Syntaxlmvutil --deleteGlobalEntitlement --entitlementName name

lmvutil --deleteGlobalApplicationEntitlement --entitlementName name

Command UsageThese commands return an error message if the specified global entitlement does not exist, the Cloud PodArchitecture feature is not initialized, or the commands cannot delete the global entitlement.

OptionsYou use the --entitlementName option to specify the name of the global entitlement to delete.

Exampleslmvutil --authAs adminEast --authDomain domainEast --authPassword "*"

--deleteGlobalEntitlement --entitlementName "Windows 8 Desktop"


--deleteGlobalApplicationEntitlement --entitlementName "Microsoft Office PowerPoint"

Adding a Pool to a Global EntitlementUse the lmvutil command with the --addPoolAssociation option to add a desktop pool to a globaldesktop entitlement or an application pool to a global application entitlement.

Syntaxlmvutil --addPoolAssociation --entitlementName name --poolId poolid


VMware, Inc. 55

Usage NotesYou must use this command on a Connection Server instance in the pod that contains the pool. For example,if pod1 contains a desktop pool to associate with a global desktop entitlement, you must run the commandon a Connection Server instance that resides in pod1.

Repeat this command for each pool to become part of the global entitlement. You can add a particular poolto only one global entitlement.

Important If you add multiple application pools to a global application entitlement, you must add thesame application. For example, do not add Calculator and Microsoft Office PowerPoint to the same globalapplication entitlement. If you add different applications, the results will be unpredictable and entitled userswill receive different applications at different times.

This command returns an error message if the Cloud Pod Architecture feature is not initialized, the specifiedentitlement does not exist, the pool is already associated with the specified entitlement, the pool does notexist, or the command cannot add the pool to the global entitlement.

OptionsYou can specify these options when you add a pool to a global entitlement.

Table 5‑10. Options for Adding a Pool to a Global Entitlement

Option Description

--entitlementName Name of the global entitlement.

--poolID ID of the pool to add to the global entitlement. The pool ID must match the poolname as it appears on the pod.

Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --addPoolAssociation

--entitlementName "Windows 8 Desktop" --poolId "Windows 8 Desktop Pool A"

Removing a Pool from a Global EntitlementUse the lmvutil command with the --removePoolAssociation option to remove a desktop pool from aglobal desktop entitlement or an application pool from a global application entitlement.

Syntaxlmvutil --removePoolAssociation --entitlementName name --poolID poolid

Usage NotesThis command returns an error message if the Cloud Pod Architecture feature is not initialized, the specifiedglobal entitlement or pool does not exist, or if the command cannot remove the pool from the globalentitlement.

OptionsYou can specify these options when you remove a pool from a global entitlement.


56 VMware, Inc.

Table 5‑11. Options for Removing a Pool from a Global Entitlement

Option Description

--entitlementName Name of the global entitlement.

--poolID ID of the pool to remove from the global entitlement. The pool ID must matchthe pool name as it appears on the pod.


--removePoolAssociation --entitlementName "Windows 8 Desktop" --poolID "Windows 8 Desktop Pool A"

Adding a User or Group to a Global EntitlementTo add a user to a global entitlement, use the lmvutil command with the --addUserEntitlement option.To add a group to a global entitlement, use the lmvutil command with the --addGroupEntitlementoption.

Syntaxlmvutil --addUserEntitlement --userName domain\username --entitlementName name

lmvutil --addGroupEntitlement --groupName domain\groupname --entitlementName name

Usage NotesRepeat these commands for each user or group to add to the global entitlement.

These commands return an error message if the specified entitlement, user, or group does not exist or if thecommand cannot add the user or group to the entitlement.

OptionsYou can specify these options when you add a user or group to a global entitlement.

Table 5‑12. Options for Adding a User or Group to a Global Entitlement

Option Description

--userName Name of a user to add to the global entitlement. Use the format domain\username.

--groupName Name of a group to add to the global entitlement. Use the formatdomain\groupname.

--entitlementName Name of the global entitlement to which to add the user or group.

Exampleslmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --addUserEntitlement

--userName domainCentral\adminCentral --entitlementName "Agent Sales"


--addGroupEntitlement --groupName domainCentral\adminCentralGroup --entitlementName "Agent Sales"


VMware, Inc. 57

Removing a User or Group From a Global EntitlementTo remove a user from a global entitlement, use the lmvutil command with the --removeUserEntitlementoption. To remove a group from a global entitlement, use the lmvutil command with the--removeGroupEntitlement option.

Syntaxlmvutil --removeUserEntitlement --userName domain\username --entitlementName name

lmvutil --removeGroupEntitlement --groupName domain\groupname --entitlementName name

Usage NotesThese commands return an error message if the Cloud Pod Architecture feature is not initialized, if thespecified user name, group name, or entitlement does not exist, or if the command cannot remove the useror group from the entitlement.

OptionsYou must specify these options when you remove a user or group from a global entitlement.

Table 5‑13. Options for Removing a User or Group From a Global Entitlement

Option Description

--userName Name of a user to remove from the global entitlement. Use the formatdomain\username.

--groupName Name of a group to remove from the global entitlement. Use the formatdomain\groupname.

--entitlementName Name of the global entitlement from which to remove the user or group.

Exampleslmvutil --authAs adminEast --authDomain domainEast --authPassword "*"

--removeUserEntitlement --userName domainCentral\adminCentral --entitlementName "Agent Sales"


--removeGroupEntitlement --groupName domainCentral\adminCentralGroup --entitlementName "Agent

Sales"

Managing Home SitesYou can use lmvutil command options to create, modify, delete, and list home sites.

n Configuring a Home Site on page 59

To create a home site for a user, use the lmvutil command with the --createUserHomeSite option.To create a home site for a group, use the lmvutil command with the --createGroupHomeSiteoption. You can also use these options to associate a home site with a global desktop entitlement orglobal application entitlement.

n Deleting a Home Site on page 60To remove the association between a user and a home site, use the lmvutil command with the--deleteUserHomeSite option. To remove the association between a group and a home site, use thelmvutil command with the --deleteGroupHomeSite option.


58 VMware, Inc.

Configuring a Home SiteTo create a home site for a user, use the lmvutil command with the --createUserHomeSite option. Tocreate a home site for a group, use the lmvutil command with the --createGroupHomeSite option. Youcan also use these options to associate a home site with a global desktop entitlement or global applicationentitlement.

Syntaxlmvutil --createUserHomeSite --userName domain\username --siteName name [--entitlementName name]

lmvutil --createGroupHomeSite --groupName domain\groupname --siteName name [--entitlementName

name]

Usage NotesYou must create a site before you can configure it as a home site. See “Creating a Site,” on page 48.

These commands return an error message if the Cloud Pod Architecture feature is not initialized, thespecified user or group does not exist, the specified site does not exist, the specified entitlement does notexist, or the commands cannot create the home site.

OptionsYou can specify these options when you create a home site for a user or group.

Table 5‑14. Options for Creating a Home Site for a User or Group

Option Description

--userName Name of a user to associate with the home site. Use the formatdomain\username.

--groupName Name of a group to associate with the home site. Use the formatdomain\groupname.

--siteName Name of the site to associate with the user or group as the home site.

--entitlementName (Optional) Name of a global desktop entitlement or global applicationentitlement to associate with the home site. When a user selects the specifiedglobal entitlement, the home site overrides the user's own home site. If you donot specify this option, the command creates a global user or group home site.

Exampleslmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --createUserHomeSite --

userName domainEast\adminEast --siteName "Eastern Region" --entitlementName "Agent Sales"


--createGroupHomeSite --groupName domainEast\adminEastGroup --siteName "Eastern Region"

--entitlementName "Agent Sales"


VMware, Inc. 59

Deleting a Home SiteTo remove the association between a user and a home site, use the lmvutil command with the--deleteUserHomeSite option. To remove the association between a group and a home site, use thelmvutil command with the --deleteGroupHomeSite option.

Syntaxlmvutil --deleteUserHomeSite --userName domain\username [--entitlementName name]

lmvutil --deleteGroupHomeSite --groupName domain\groupname [--entitlementName name]

Usage NotesThese commands return an error message if the specified user or group does not exist, the specified globalentitlement does not exist, or if the commands cannot delete the home site setting.

OptionsYou can specify these options when you remove the association between a user or group and a home site.

Table 5‑15. Options for Deleting a Home Site

Option Description

--userName Name of a user. Use the format domain\username.

--groupName Name of a group. Use the format domain\groupname.

--entitlementName (Optional) Name of a global desktop entitlement or global applicationentitlement. You can use this option to remove the association between thehome site and a global entitlement for the specified user or group.

Exampleslmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --deleteUserHomeSite

--userName domainEast\adminEast


--deleteGroupHomeSite --groupName domainEast\adminEastGroup

Viewing a Cloud Pod Architecture ConfigurationYou can use lmvutil command options to list information about a Cloud Pod Architecture configuration.

n Listing Global Entitlements on page 61To list information about all global desktop entitlements, including their policies and attributes, usethe lmvutil command with the --listGlobalEntitlements option. To list information about allglobal application entitlements, including their policies and attributes, use the lmvutil command withthe --listGlobalApplicationEntitlements option.

n Listing the Pools in a Global Entitlement on page 61

Use the lmvutil command with the --listAssociatedPools option to list the desktop or applicationpools that are associated with a specific global entitlement.

n Listing the Users or Groups in a Global Entitlement on page 62

Use the lmvutil command with the --listEntitlements option to list all the users or groupsassociated with a specific global entitlement.


60 VMware, Inc.

n Listing the Home Sites for a User or Group on page 62To list all the configured home sites for a specific user, use the lmvutil command with the--showUserHomeSites option. To list all the configured home sites for a specific group, use thelmvutil command with the --showGroupHomeSites option.

n Listing the Effective Home Site for a User on page 63

Use the lmvutil command with the --resolveUserHomeSite option to determine the effective homesite for a specific user. Because home sites can be assigned to users and groups and to globalentitlements, it is possible to configure more than one home site for a user.

n Listing Dedicated Desktop Pool Assignments on page 64

Use the lmvutil command with the --listUserAssignments option to to list the dedicated desktoppool assignments for a user and global entitlement combination.

n Listing the Pods or Sites in a Cloud Pod Architecture Topology on page 64

To view the pods in the pod federation, use the lmvutil command with the --listPods option. Toview the sites in the pod federation, use the lmvutil command with the --listSites option.

Listing Global EntitlementsTo list information about all global desktop entitlements, including their policies and attributes, use thelmvutil command with the --listGlobalEntitlements option. To list information about all globalapplication entitlements, including their policies and attributes, use the lmvutil command with the--listGlobalApplicationEntitlements option.

Syntaxlmvutil --listGlobalEntitlements

lmvutil --listGlobalApplicationEntitlements

Usage NotesThese commands return an error message if the Cloud Pod Architecture feature is not initialized or if thecommands cannot list the global entitlements.

Exampleslmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --listGlobalEntitlements


--listGlobalApplicationEntitlements

Listing the Pools in a Global EntitlementUse the lmvutil command with the --listAssociatedPools option to list the desktop or application poolsthat are associated with a specific global entitlement.

Syntaxlmvutil --listAssociatedPools --entitlementName name

Usage NotesThis command returns an error message if the Cloud Pod Architecture feature is not initialized or if thespecified global entitlement does not exist.


VMware, Inc. 61

OptionsYou use the --entitlementName option to specify the name of the global entitlement for which to list theassociated desktop or application pools.

Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --listAssociatedPools

--entitlementName "Agent Sales"

Listing the Users or Groups in a Global EntitlementUse the lmvutil command with the --listEntitlements option to list all the users or groups associatedwith a specific global entitlement.

Syntaxlmvutil --listEntitlements {--userName domain\username | --groupName domain\groupname | --

entitlementName name}

Usage NotesThis command returns an error message if the Cloud Pod Architecture feature is not initialized or if thespecified user, group, or entitlement does not exist.

OptionsYou can specify these options when you list global entitlement associations.

Table 5‑16. Options for Listing Global Entitlement Associations

Option Description

--userName Name of the user for whom you want to list global entitlements. Use theformat domain\username. This option lists all global entitlements associatedwith the specified user.

--groupName Name of the group for which you want to list global entitlements. Use theformat domain\groupname. This option lists all global entitlements associatedwith the specified group.

--entitlementName Name of a global entitlement. This option lists all users and groups in thespecified global entitlement.

Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --listEntitlements

--userName example\adminEast

Listing the Home Sites for a User or GroupTo list all the configured home sites for a specific user, use the lmvutil command with the--showUserHomeSites option. To list all the configured home sites for a specific group, use the lmvutilcommand with the --showGroupHomeSites option.

Syntaxlmvutil --showUserHomeSites --userName domain\username [--entitlementName name]

lmvutil --showGroupHomeSites --groupName domain\groupname [--entitlementName name]


62 VMware, Inc.

Usage NotesThese commands return an error message if the Cloud Pod Architecture feature is not initialized or if thespecified user, group, or global entitlement does not exist.

OptionsYou can specify these options when you list the home sites for a user or group.

Table 5‑17. Options for Listing the Home Sites for a User or Group

Option Description

--userName Name of a user. Use the format domain\username.

--groupName Name of a group. Use the format domain\groupname.

--entitlementName (Optional) Name of a global entitlement. Use this option if you want to show thehome sites for a user or group and global entitlement combination.

Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --showUserHomeSites

--userName example\adminEast

lmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --showGroupHomeSites

--groupName example\adminEastGroup

Listing the Effective Home Site for a UserUse the lmvutil command with the --resolveUserHomeSite option to determine the effective home sitefor a specific user. Because home sites can be assigned to users and groups and to global entitlements, it ispossible to configure more than one home site for a user.

Syntaxlmvutil --resolveUserHomeSite --entitlementName name --userName domain\username

Usage NotesThis command returns an error message if the Cloud Pod Architecture feature is not initialized or if thespecified global entitlement or user does not exist.

OptionsYou must specify these options when you list the effective home site for a user.

Table 5‑18. Options for Listing the Effective Home Site for a User

Option Description

--entitlementName Name of a global entitlement. This option enables you to determine theeffective home site for a user and global entitlement combination, which mightbe different from the home site that is configured for the user.

--userName Name of the user whose home site you want to list. Use the formatdomain\username.


--resolveUserHomeSite --userName domainEast\adminEast


VMware, Inc. 63

Listing Dedicated Desktop Pool AssignmentsUse the lmvutil command with the --listUserAssignments option to to list the dedicated desktop poolassignments for a user and global entitlement combination.

Syntaxlmvutil --listUserAssignments {--userName domain\username | --entitlementName name | --podName

name | --siteName name}

Usage NotesThe data produced by this command is managed internally by the Cloud Pod Architecture brokeringsoftware.

This command returns an error if the Cloud Pod Architecture feature is not initialized or if the commandcannot find the specified user, global entitlement, pod, or site.

OptionsYou must specify one of the following options when you list user assignments.

Table 5‑19. Options for Listing User Assignments

Option Description

--userName Name of the user for whom you want to list assignments. Use the formatdomain\username. This option lists the global entitlement, pod, and site assignments forthe specified user.

--entitlementName Name of a global entitlement. This option lists the users assigned to the specified globalentitlement.

--podName Name of a pod. This option lists the users assigned to the specified pod.

--siteName Name of a site. This option lists the users assigned to the specified site.

Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword

"*" --listUserAssignments --podName "East Pod 1"

Listing the Pods or Sites in a Cloud Pod Architecture TopologyTo view the pods in the pod federation, use the lmvutil command with the --listPods option. To view thesites in the pod federation, use the lmvutil command with the --listSites option.

Syntaxlmvutil --listPods

lmvutil --listSites

Usage NotesThese commands return an error message if the Cloud Pod Architecture feature is not initialized or if thecommands cannot list the pods or sites.


64 VMware, Inc.

Examplelmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --listPods

lmvutil --authAs adminEast --authDomain domainEast --authPassword "*" --listSites

Managing SSL CertificatesYou can use lmvutil command options to create and activate pending SSL certificates in a Cloud PodArchitecture environment.

The Cloud Pod Architecture feature uses signed certificates for bidirectional SSL to protect and validate theVIPA communication channel. The certificates are distributed in the Global Data Layer. The Cloud PodArchitecture feature replaces these certificates every seven days.

To change a certificate for a specific Connection Server instance, you create a pending certificate, wait for theGlobal Data Layer replication process to distribute the certificate to all Connection Server instances, andactivate the certificate.

The lmvutil command certificate options are intended for use only if a certificate becomes compromisedand a Horizon administrator wants to update the certificate sooner than seven days. These options affectonly the Connection Server instance on which they are run. To change all certificates, you must run theoptions on every Connection Server instance.

n Creating a Pending Certificate on page 65

Use the lmvutil command with the --createPendingCertificate option to create a pending SSLcertificate.

n Activating a Pending Certificate on page 65

Use the lmvutil command with the --activatePendingCertificate option to activate a pendingcertificate.

Creating a Pending CertificateUse the lmvutil command with the --createPendingCertificate option to create a pending SSLcertificate.

Syntaxlmvutil --createPendingCertificate

Usage NotesThis command returns an error message if the Cloud Pod Architecture feature is not initialized or if thecommand cannot create the certificate.

ExampleLMVUtil --authAs adminEast --authDomain domainEast --authPassword "*"

--createPendingCertificate

Activating a Pending CertificateUse the lmvutil command with the --activatePendingCertificate option to activate a pendingcertificate.

Syntaxlmvutil --activatePendingCertificate


VMware, Inc. 65

Usage NotesYou must use the lmvutil command with the --createPendingCertificate option to create a pendingcertificate before you can use this command. Wait for the Global Data Layer replication process to distributethe certificate to all Connection Server instances before you activate the pending certificate. VIPA connectionfailures and resulting brokering problems can occur if you activate a pending certificate before it is fullyreplicated to all Connection Server instances.

This command returns an error message if the Cloud Pod Architecture feature is not initialized or if thecommand cannot activate the certificate.


--activatePendingCertificate


66 VMware, Inc.

Index

Aallocating desktops 10architectural overview of Cloud Pod

Architecture 7assigning tags 19

Cconfiguration

tasks 17viewing 31, 60

Ddesktop sessions 33

Eexample of a basic configuration 26

Gglobal entitlements

adding desktop pools 22adding pools 55adding users and groups 34, 57creating 20, 28, 50deleting 36, 55introduction 10listing 61listing pools 61listing users and groups 62managing 50modifying 34, 53modifying attributes and policies 35removing desktop pools 34removing pools 56removing users and groups 34, 58

Global Data Layer 8glossary 5

Hhome sites

assigning 24configuring 59effective 63introduction 11listing 62, 64managing 58

modifying associations 37removing associations 37, 60

home site overrides 38Horizon URL 29

Iinitializing 17, 27, 44intended audience 5introduction 7

Llimitations 8lmvutil command

authenticating 42command options 42introduction 41output 42syntax 41

Mmanagement interfaces 31multiple sessions per user 11

Ppending certificates

activating 65creating 65

pod names, changing 47pod federations

joining pods 18, 28, 46managing 45removing pods 39, 46viewing health 32

Rrestricted global entitlements 13, 14

Sscope policy settings 11security considerations 16sites

adding pods 33, 48changing a name or description 49creating 23, 28, 48deleting 49

VMware, Inc. 67

introduction 9managing 47

SSL certificates 65

Ttag matching 13TCP port requirements 16testing 25topology

designing 9, 27limits 16viewing 64

Uunauthenticated users 12uninitializing 39, 45

VVIPA communication channel 8

WWorkspace ONE mode 15


68 VMware, Inc.

Documents

n Horizon 7 7 - VMware · Administering Cloud Pod Architecture in Horizon 7 Modified on 26 JUL 2017 VMware Horizon 7 7.2